Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Prove Your Phone's PIN Can Be Stolen Using Its Gyroscope Data (digitaltrends.com)

Posted by BeauHD on from the less-secure-than-previously-thought dept.

A team of scientists at Newcastle University in the UK managed to reveal a user's phone PIN code using its gyroscope data. "In one test, the team cracked a passcode with 70 percent accuracy," reports Digital Trends. "By the fifth attempt, the accuracy had gone up to 100 percent." From the report: It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers' algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device's sensors without requesting permission. The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number -- such as the camera and GPS -- ask the user's permission before granting access to that data. It's precise enough to track behavior. Using an "orientation" and "emotion trace" data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing. The paper has been published in International Journal of Information Security.

61 comments

  1. It was a inside job! by LesFerg · · Score: 2

    So they are saying that if a malicious compromising app is already installed and running on your phone, then your phone could be compromised?
    Were they on salary while determining this?

    --
    If I had a DeLorean... I would probably only drive it from time to time.
    1. Re:It was a inside job! by msauve · · Score: 0

      Yep. If your (name of computing device here) is compromised,your (name of computing device here) is compromised.

      Maybe they'll get a Nobel prize, just like Obama.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:It was a inside job! by Askmum · · Score: 1

      When a malicious app can have access to the gyroscope, why can't it read out the pressure of the screen? I don't even think there is a seperate access restriction for that because every app is controlled by the screen.

    3. Re:It was a inside job! by AC-x · · Score: 1

      I'm pretty sure mobile OS' don't allow user level apps to read touch positions from things like the lockscreen.

    4. Re:It was a inside job! by religionofpeas · · Score: 1

      With a similar argument: what is an app actually going to accomplish once it has the unlock code ?

    5. Re:It was a inside job! by Joce640k · · Score: 1

      Create a dark database so that stolen phones are suddenly valuable again?

      It's almost as if you have no imagination.

      --
      No sig today...
    6. Re:It was a inside job! by religionofpeas · · Score: 1

      30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

    7. Re:It was a inside job! by AC-x · · Score: 1

      I imagine it would be useful to state actors; Build up a database of pin codes then if you snatch a phone in a raid / at the border if it's part of your drag net you can unlock it without all the fuss like the San Bernardino iPhone caused.

    8. Re:It was a inside job! by Cyryathorn · · Score: 1

      I imagine the "malicious app" might be a pinball game that you gave gyro permissions to, and/or a puzzle-sliding mini game that lays out on the screen in a manner suspiciously similar to the lock screen. After that it would need to be able to look up historical gyro data.

      The article doesn't provide enough detail, so I'm just speculating. But I would imagine it might just take a little bit of cleverness to trojan this into a real world scenario.

    9. Re:It was a inside job! by Anonymous Coward · · Score: 0

      Maybe they'll get a Nobel prize, just like Obama.

      This article has nothing to do with Obama nor his Nobel prize. Nothing. Please tell me why every post much be politicized. Please, tell us how great Trump is and why this article on phone security reinforces that.

    10. Re:It was a inside job! by Anonymous Coward · · Score: 0

      "PIN codes". I saw this phrase once in TFS and again here. I always feel like I'm cutting myself off when I just say "PIN", but avoid "PIN number" for obvious reasons. I think I'll try "PIN code" for a while and see how it goes.

    11. Re:It was a inside job! by EvilSS · · Score: 1

      30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

      Got a reference for that statistic?

      --
      I browse on +1 so AC's need not respond, I won't see it.
    12. Re:It was a inside job! by theguyfromsaturn · · Score: 1

      In other news, they seem to imply that nothing can currently be done against this very specific threat... however, if you set the numerical password entry to be with randomized number location, it seems to me that the gyro is not very useful, as it will provide random data. This feature has been around for a while, and is good against the good ol' eyeball mark 1 infiltration app too (unless the observer is so far over your shoulder that they can directly observe the numbers, obviously).

      --
      I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
    13. Re:It was a inside job! by Cajun+Hell · · Score: 1

      A reference for a related statistic (though the numbers are different).

      --
      "Believe me!" -- Donald Trump
    14. Re:It was a inside job! by EvilSS · · Score: 1

      How was that supposed to be in any way useful?

      --
      I browse on +1 so AC's need not respond, I won't see it.
  2. Scientists by 110010001000 · · Score: 1

    In 2017 everyone is a scientist. Even APK.

    1. Re:Scientists by Anonymous Coward · · Score: 0

      Science is modern wizardry, and APK sells magic spells.

  3. Old tech ... by Misagon · · Score: 2

    Long before touch-screens with capacitative sensing became commonplace there were some touch-screens systems that used a gyroscope as its sensor to sense how much the screen rocked when a user touched it.
    It was very crude and inaccurate compared to other approaches but it could be mounted to most regular CRT computer monitors.

    Unfortunately I have sold off my computer magazines from the early '90s so I can't look up the name of the manufacturer.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    1. Re:Old tech ... by 110010001000 · · Score: 1

      Yeah, but these guys wrote an app.

    2. Re:Old tech ... by Askmum · · Score: 1

      I would assume it would be very crude and inaccurate because a CRT monitor does not really move when you touch it. Was it a March issue of some computer magazine by any chance?

  4. Escalation by dbIII · · Score: 2

    Escalation of access is still an issue.
    Personally I see the moral of the story as being the old one that security is weakened if you have to use the access method very frequently. That's one of the reasons why alarm systems often have a different code for each user instead of ending up with four numbers almost worn off the keypad after a few years.
    How many days would elapse before the user had entered their PIN fifty times in their phone? I don't think it would be a very long time and the malware can wait.

    1. Re:Escalation by 110010001000 · · Score: 1

      The only problem is the system needed to be trained by having the user enter 50 known PINs five times. And assumed the user held the phone the same way every time. Those silly scientists.

    2. Re:Escalation by LesFerg · · Score: 1

      Since the digital keypad on phones is a graphic display, why not simply have the keypad randomly rotated, so the patterns keep changing?
      Even better than rotating, scramble the number positions.
      All this talk of seeing somebody typing in a PIN from a distance, recording the phone movement etc just make me wonder.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    3. Re:Escalation by Anonymous Coward · · Score: 0

      CyanogenMod and Lineage OS already had/have this feature.

    4. Re:Escalation by dbIII · · Score: 1

      No. If the malware is on the thing long enough the user will be holding the phone the same way enough times.
      Stack up enough similar data and the uncommon stuff becomes trivial noise.

    5. Re:Escalation by jaminJay · · Score: 1

      The nineties called: they want their internet banking login Java applets back.

      --
      Leela: "Is all the work done by children?" Alien: "No, not the whipping."
    6. Re:Escalation by currently_awake · · Score: 1

      Number layout randomization is used on military keypads to prevent someone shoulder surfing to get access codes. It would also prevent IR or fingerprint scans to get your code.

  5. I kinda have to call bullshit on this by Snotnose · · Score: 4, Insightful

    If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

    You really wanna tell me my gyroscope is in the same position in all these scenarios?

    1. Re:I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      They only need to look at the relative movement, not absolute position.

    2. Re:I kinda have to call bullshit on this by Snotnose · · Score: 1

      You really think in all these scenarios relative movement will be the same?

      HA HA HA HA

      dumass

    3. Re:I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      dumass

      Well played, good sir!

    4. Re:I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      Baby steps. Maybe this is the best that tech can do today but in the future... I think the phone's sensory data will be streamed up to a big AI along with sensory data of millions of users. The AI will be trained to extract PINs from sensory data regardless of "background" noise. Eventually the AI will learn to read your PIN from the phone even if you are on a roller-coaster. Is it actually worth doing this? I dunno.

    5. Re:I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      > You really think in all these scenarios relative movement will be the same?

      It only needs to be sufficiently similar in ten separate cases. The nature of APTs is that they have _tons_ of time to gather and analyse data in order to find an avenue of attack.

      How many times does the average user enter their screen unlock PIN in a day? Over the course of a month, one could easily winnow down the candidate PINs to exactly one.

      The article is here, give it a read: https://link.springer.com/article/10.1007/s10207-017-0369-x

      While reading, remember that the world of high-performance computer-controlled radios (a la WiFi and others) has given us _many_ _really good_ noise and error correction strategies. Some of these are _so_ good that they can be used to _reliably_ establish covert channels (via CPU cache corruption) that can be used to (say) exfiltrate data between two virtual machines _using the CPU's internal caches_ as a drop box and nothing else. See https://www.blackhat.com/docs/asia-17/materials/asia-17-Schwarz-Hello-From-The-Other-Side-SSH-Over-Robust-Cache-Covert-Channels-In-The-Cloud-wp.pdf for details.

      APTs, error correction, clever attackers, and systems designed with a feature-first (rather than security-first) mindset mean that infoleaks are _everywhere_, and are more easily exploited than you would _ever_ expect.

    6. Re: I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      or that one does not position the phone the same when typing or reading mostly if in hand as long as you can access the phone with your thumb accross the phone. phablets may be different though or even 5.5 and up generally depending on hands.

    7. Re:I kinda have to call bullshit on this by subreality · · Score: 1

      The gyroscope does not care what orientation it's in. The accelerometer does, but even then it's easy to subtract out 1G of orientation to isolate short transients.

    8. Re:I kinda have to call bullshit on this by Eloking · · Score: 1

      If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

      You really wanna tell me my gyroscope is in the same position in all these scenarios?

      From looking at the summary (TFA is not interesting enough to read), my guess is that they use the mouvement of the phone as you as entering your password. For instance, if you press the #9, your cellphone will slightly tilt to the upper left (compared to the other key). By comparison, the #4 will tilt slightly relatively at the same strength on the left side, but less on the upper side. So if you look at the gyro's data of the 4 digit, you can certainly make a pattern and have an idea of what if the password. I'm pretty sure you could also guess a pattern password that way. Of course, it won't work if your cellphone lay on a flat surface.

      But, as someone already mentioned, for this to work the cellphone have already been compromised. When hacking in a fortress from inside, why wasting the time to search for the key when you can simply unlock the door?

      --
      Elok
    9. Re:I kinda have to call bullshit on this by thegarbz · · Score: 1

      You really wanna tell me my gyroscope is in the same position in all these scenarios?

      It's called filtering and analysis. The starting position isn't at all important if it can be characterised.

    10. Re:I kinda have to call bullshit on this by Anonymous Coward · · Score: 0

      I think the entire point of this is that the device can be compromised by downloading any app... like a game.

  6. No it cannot by Anonymous Coward · · Score: 0

    The location of digits is random at each unlock attempt.

  7. Oh noes! Da horror of horrors! by Anonymous Coward · · Score: 0

    Hold me! I'm scurred!!

    Oh wait... My cell phone gives me the option to scramble the numbers whenever I enter my pin to prevent this exact sort of stuff.

    As you were!

    1. Re:Oh noes! Da horror of horrors! by mark-t · · Score: 1

      Pretty spiffy. Which cell phone?

      --
      File under 'M' for 'Manic ranting'
  8. Definitely interesting by MakersDirector · · Score: 0

    Hacking and cracking aside, This concept isn't new - Nintendo's been doing gyroscopic sensing for at least 15 years that I am aware of with the WII, it's not exactly a stretch to apply the same logic to a phone and obtain positional information based on timing an application to measure positional information as a series of tilts in specific directions when in the process of unlocking of the phone.There's gonna be problems if the phone is on a solid surface like a table though.

    But what I don't understand is. If someone already has access to the device to get gyroscopic information, what's the point in obtaining a PIN remotely?

    What good would that do?

    1. Re: Definitely interesting by Anonymous Coward · · Score: 0

      How many people use the same pin for everything?

    2. Re: Definitely interesting by Anonymous Coward · · Score: 0

      i do not think a thief of the phosical device would go that direction or even have the technical resorces and those are mostly crimes of opportunity. but law engorcement and other organizations may find it usefull in a investigation.

  9. Only load from safe sources by chromaexcursion · · Score: 1

    If you download from google store, every app has to ask permission.
    this attack only works on those downloading from untrusted sources.

    1. Re:Only load from safe sources by Nemyst · · Score: 1

      And what if the app masquerades as something with a perfectly valid reason to access the gyroscope, like a map app?

  10. my phone? by Anonymous Coward · · Score: 0

    has neither a PIN nor a gyrothingie. Am I safe?

  11. Time for a new game by Anonymous Coward · · Score: 0

    Ok, so I have a new game for the smartphone: complete the sequence, it is purely a coincidence that the numbers line up with the unlock buttons. In this game I will put up a sequence of numbers and you need to complete the sequence and as levels become harder the number of digits you need to enter increases. Make sure that while playing you give me access to the gyro; never mind, you already do this.
    So if you walk away from your game while playing or I am running in the background I will just log the gyro to capture your pin....

    Bingo, game-ification of pin code entry and automatic pin capture.

    Who wants to start a phone game company with me?

  12. Randomized Numberpad by Anonymous Coward · · Score: 0

    It would be so easy to implement and reduce a bunch of other attacks as well. Won't happen, too user unfriendly. Sigh. We're going the opposite direction where the validation program is also looking at your gyroscope data to guess if it's you tapping or someone else. AI is a selling point, randomized UIs aren't.

  13. Iframe/JS attack possible too by HxBro · · Score: 1

    This could happen on any web page you happen to have visited and left open, in some cases the browser can be minimised and screen locked

    https://link.springer.com/arti...

  14. Simpler method by religionofpeas · · Score: 2

    Just make an app that occasionally shows a fake unlock screen, and just capture the touches.

  15. PIN length? by necro81 · · Score: 1

    I will assume that this research was conducted using 4-digit PINs, which are the default for iOS and Android. I wonder how their success rate would hold up against, say, a 5-digit PIN, or 8, or N?

    I generally rely on a biometric sign in for my phone*, but fall back on the PIN code once or twice per week. It's a whole lot more than 4 digits.

    * I know, biometrics have their own set of risks; different conversation

  16. Of course it should be an inside job... by Richard+Kirk · · Score: 1

    This is an entirely sensible thing to do. You might have a game that uses the gyroscope. Embedded within that game there might be a rogue application that also uses the gyroscope data to measure the tilt as a result of using the keyboard, and report that along with your high score, or whatever to some game sever. If you have some security mode so when you are entering a password, it disables keyboard sharing, screen grabs, the camera (looking for reflections in you glasses) and the microphone (in case you say the numbers aloud) it must also disable the gyroscope and accelerometer. It does not matter that the process is not reliable - all we need to know is that is could work, so we can put in a fix.

    Too often we learn what is possible after the event. We have to pay ingenious people to report weaknesses in the system. If you don't then the only ones working on it are the ones with something to gain.

  17. Re:wow by marcgvky · · Score: 2

    1. write iphone app 2. record sensor data 3. sell PINs 4. profit!

    Why did his statement get voted down? I think it's insightful satire.

    As a firefighter, we are taught "Forcible Entry", because we may show up to a burning house and the homeowner may be able to answer the door. The first words out of the instructors mouth, Day 1, "locks keep honest people honest." Simple and profound.

    Seems like the front door to your house and the front door to your phone are only as safe, as the moral society in which you live allows.

  18. Re:wow by marcgvky · · Score: 1

    .... show up to a burning house and the homeowner may be able to answer the door.....

    Ehem, may NOT be able to answer the door. LOL Too early for posting... need coffee.

  19. NO GYROSCOPE IN PHONES by flargleblarg · · Score: 1

    For fuck's sake! There are no goddamn gyroscopes in mobile devices. What's used are accelerometers, which are non-spinning. Gyroscopes spin.

    1. Re:NO GYROSCOPE IN PHONES by Wolfrider · · Score: 1

      --Easy solution: OS Disable the accelerometer when prompting for a pass code.

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  20. PIN layout scrambling defeats this? by Athanasius · · Score: 1

    From the description the method is detecting which part of the screen you tap on. Thus if you use PIN keypad layout scrambling, such as in LineageOS they still won't know which digit you were tapping each time.

  21. "In every revolution..." by Anonymous Coward · · Score: 0

    "There's 1 man with a vision" https://slashdot.org/comments.pl?sid=10476859&cid=54226973/

    APK

    P.S.=> YOOD empire is illogical - I submit YOU are illogical to be a willing part of it... apk

  22. Good thing this does not apply by Bartles · · Score: 1

    Because phones don't have gyroscopes. They have accelerometers.