April 12, 2017 by

Researchers Reveal Passcode Exploit through Phone Motion Sensors

Last year, a team of cyber researchers demonstrated the simplicity of spying on a phone’s motion sensors to steal the user’s PINs and passwords.

A team of cyber researchers from Newcastle University in the United Kingdom have demonstrated that a phone’s PINs and passwords can be exploited by simply analyzing the way the phone tilts as the passcode is typed. The distinct patterns used in the phone were enough for the researchers to crack four-digit PINs on the first guess at 70% of the time and a sweeping 100% of the PINs used by the fifth guess.

“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.” explains Dr. Maryam Mehrenzhad, lead author of the published paper and a Research Fellow at the University’s School of Computing Science.

Notably, he added:

But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

During the course of their research, the academic team identified 25 different sensors, which are standard on most devices, give information about the device and its user – essentially enabling access to details without the user’s permission. Only a select number of these sensors, such as the camera and GPS, actively seek the user’s permission to access the device.

A number of other giveaway actions, such as clicking, holding, tapping, and scrolling, induce a motion trace with a unique orientation. If a malicious webpage or app had access to these sensors, the user’s activity can be spied upon.

Google and Apple and other major browser providers have all been notified of the exploit, but nobody has come up with a concrete answer.

As such, Mozilla and Apple have partially fixed the problem for Firefox and Safari respectively. The research team is working with the industry for a final solution.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Chrome, Firefox Extensions Block their Own Removal to Hijack Browsers

Security researchers have discovered malicious Chrome and Firefox extensiosn that block their own...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward