Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Prove Your Phone's PIN Can Be Stolen Using Its Gyroscope Data (digitaltrends.com)

Posted by BeauHD on from the less-secure-than-previously-thought dept.

A team of scientists at Newcastle University in the UK managed to reveal a user's phone PIN code using its gyroscope data. "In one test, the team cracked a passcode with 70 percent accuracy," reports Digital Trends. "By the fifth attempt, the accuracy had gone up to 100 percent." From the report: It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers' algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device's sensors without requesting permission. The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number -- such as the camera and GPS -- ask the user's permission before granting access to that data. It's precise enough to track behavior. Using an "orientation" and "emotion trace" data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing. The paper has been published in International Journal of Information Security.

40 of 61 comments (clear)

  1. It was a inside job! by LesFerg · · Score: 2

    So they are saying that if a malicious compromising app is already installed and running on your phone, then your phone could be compromised?
    Were they on salary while determining this?

    --
    If I had a DeLorean... I would probably only drive it from time to time.
    1. Re:It was a inside job! by Askmum · · Score: 1

      When a malicious app can have access to the gyroscope, why can't it read out the pressure of the screen? I don't even think there is a seperate access restriction for that because every app is controlled by the screen.

    2. Re:It was a inside job! by AC-x · · Score: 1

      I'm pretty sure mobile OS' don't allow user level apps to read touch positions from things like the lockscreen.

    3. Re:It was a inside job! by religionofpeas · · Score: 1

      With a similar argument: what is an app actually going to accomplish once it has the unlock code ?

    4. Re:It was a inside job! by Joce640k · · Score: 1

      Create a dark database so that stolen phones are suddenly valuable again?

      It's almost as if you have no imagination.

      --
      No sig today...
    5. Re:It was a inside job! by religionofpeas · · Score: 1

      30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

    6. Re:It was a inside job! by AC-x · · Score: 1

      I imagine it would be useful to state actors; Build up a database of pin codes then if you snatch a phone in a raid / at the border if it's part of your drag net you can unlock it without all the fuss like the San Bernardino iPhone caused.

    7. Re:It was a inside job! by Cyryathorn · · Score: 1

      I imagine the "malicious app" might be a pinball game that you gave gyro permissions to, and/or a puzzle-sliding mini game that lays out on the screen in a manner suspiciously similar to the lock screen. After that it would need to be able to look up historical gyro data.

      The article doesn't provide enough detail, so I'm just speculating. But I would imagine it might just take a little bit of cleverness to trojan this into a real world scenario.

    8. Re:It was a inside job! by EvilSS · · Score: 1

      30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

      Got a reference for that statistic?

      --
      I browse on +1 so AC's need not respond, I won't see it.
    9. Re:It was a inside job! by theguyfromsaturn · · Score: 1

      In other news, they seem to imply that nothing can currently be done against this very specific threat... however, if you set the numerical password entry to be with randomized number location, it seems to me that the gyro is not very useful, as it will provide random data. This feature has been around for a while, and is good against the good ol' eyeball mark 1 infiltration app too (unless the observer is so far over your shoulder that they can directly observe the numbers, obviously).

      --
      I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
    10. Re:It was a inside job! by Cajun+Hell · · Score: 1

      A reference for a related statistic (though the numbers are different).

      --
      "Believe me!" -- Donald Trump
    11. Re:It was a inside job! by EvilSS · · Score: 1

      How was that supposed to be in any way useful?

      --
      I browse on +1 so AC's need not respond, I won't see it.
  2. Scientists by 110010001000 · · Score: 1

    In 2017 everyone is a scientist. Even APK.

  3. Old tech ... by Misagon · · Score: 2

    Long before touch-screens with capacitative sensing became commonplace there were some touch-screens systems that used a gyroscope as its sensor to sense how much the screen rocked when a user touched it.
    It was very crude and inaccurate compared to other approaches but it could be mounted to most regular CRT computer monitors.

    Unfortunately I have sold off my computer magazines from the early '90s so I can't look up the name of the manufacturer.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    1. Re:Old tech ... by 110010001000 · · Score: 1

      Yeah, but these guys wrote an app.

    2. Re:Old tech ... by Askmum · · Score: 1

      I would assume it would be very crude and inaccurate because a CRT monitor does not really move when you touch it. Was it a March issue of some computer magazine by any chance?

  4. Escalation by dbIII · · Score: 2

    Escalation of access is still an issue.
    Personally I see the moral of the story as being the old one that security is weakened if you have to use the access method very frequently. That's one of the reasons why alarm systems often have a different code for each user instead of ending up with four numbers almost worn off the keypad after a few years.
    How many days would elapse before the user had entered their PIN fifty times in their phone? I don't think it would be a very long time and the malware can wait.

    1. Re:Escalation by 110010001000 · · Score: 1

      The only problem is the system needed to be trained by having the user enter 50 known PINs five times. And assumed the user held the phone the same way every time. Those silly scientists.

    2. Re:Escalation by LesFerg · · Score: 1

      Since the digital keypad on phones is a graphic display, why not simply have the keypad randomly rotated, so the patterns keep changing?
      Even better than rotating, scramble the number positions.
      All this talk of seeing somebody typing in a PIN from a distance, recording the phone movement etc just make me wonder.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    3. Re:Escalation by dbIII · · Score: 1

      No. If the malware is on the thing long enough the user will be holding the phone the same way enough times.
      Stack up enough similar data and the uncommon stuff becomes trivial noise.

    4. Re:Escalation by jaminJay · · Score: 1

      The nineties called: they want their internet banking login Java applets back.

      --
      Leela: "Is all the work done by children?" Alien: "No, not the whipping."
    5. Re:Escalation by currently_awake · · Score: 1

      Number layout randomization is used on military keypads to prevent someone shoulder surfing to get access codes. It would also prevent IR or fingerprint scans to get your code.

  5. I kinda have to call bullshit on this by Snotnose · · Score: 4, Insightful

    If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

    You really wanna tell me my gyroscope is in the same position in all these scenarios?

    1. Re:I kinda have to call bullshit on this by Snotnose · · Score: 1

      You really think in all these scenarios relative movement will be the same?

      HA HA HA HA

      dumass

    2. Re:I kinda have to call bullshit on this by subreality · · Score: 1

      The gyroscope does not care what orientation it's in. The accelerometer does, but even then it's easy to subtract out 1G of orientation to isolate short transients.

    3. Re:I kinda have to call bullshit on this by Eloking · · Score: 1

      If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

      You really wanna tell me my gyroscope is in the same position in all these scenarios?

      From looking at the summary (TFA is not interesting enough to read), my guess is that they use the mouvement of the phone as you as entering your password. For instance, if you press the #9, your cellphone will slightly tilt to the upper left (compared to the other key). By comparison, the #4 will tilt slightly relatively at the same strength on the left side, but less on the upper side. So if you look at the gyro's data of the 4 digit, you can certainly make a pattern and have an idea of what if the password. I'm pretty sure you could also guess a pattern password that way. Of course, it won't work if your cellphone lay on a flat surface.

      But, as someone already mentioned, for this to work the cellphone have already been compromised. When hacking in a fortress from inside, why wasting the time to search for the key when you can simply unlock the door?

      --
      Elok
    4. Re:I kinda have to call bullshit on this by thegarbz · · Score: 1

      You really wanna tell me my gyroscope is in the same position in all these scenarios?

      It's called filtering and analysis. The starting position isn't at all important if it can be characterised.

  6. Only load from safe sources by chromaexcursion · · Score: 1

    If you download from google store, every app has to ask permission.
    this attack only works on those downloading from untrusted sources.

    1. Re:Only load from safe sources by Nemyst · · Score: 1

      And what if the app masquerades as something with a perfectly valid reason to access the gyroscope, like a map app?

  7. Re:Oh noes! Da horror of horrors! by mark-t · · Score: 1

    Pretty spiffy. Which cell phone?

    --
    File under 'M' for 'Manic ranting'
  8. Iframe/JS attack possible too by HxBro · · Score: 1

    This could happen on any web page you happen to have visited and left open, in some cases the browser can be minimised and screen locked

    https://link.springer.com/arti...

  9. Simpler method by religionofpeas · · Score: 2

    Just make an app that occasionally shows a fake unlock screen, and just capture the touches.

  10. PIN length? by necro81 · · Score: 1

    I will assume that this research was conducted using 4-digit PINs, which are the default for iOS and Android. I wonder how their success rate would hold up against, say, a 5-digit PIN, or 8, or N?

    I generally rely on a biometric sign in for my phone*, but fall back on the PIN code once or twice per week. It's a whole lot more than 4 digits.

    * I know, biometrics have their own set of risks; different conversation

  11. Of course it should be an inside job... by Richard+Kirk · · Score: 1

    This is an entirely sensible thing to do. You might have a game that uses the gyroscope. Embedded within that game there might be a rogue application that also uses the gyroscope data to measure the tilt as a result of using the keyboard, and report that along with your high score, or whatever to some game sever. If you have some security mode so when you are entering a password, it disables keyboard sharing, screen grabs, the camera (looking for reflections in you glasses) and the microphone (in case you say the numbers aloud) it must also disable the gyroscope and accelerometer. It does not matter that the process is not reliable - all we need to know is that is could work, so we can put in a fix.

    Too often we learn what is possible after the event. We have to pay ingenious people to report weaknesses in the system. If you don't then the only ones working on it are the ones with something to gain.

  12. Re:wow by marcgvky · · Score: 2

    1. write iphone app 2. record sensor data 3. sell PINs 4. profit!

    Why did his statement get voted down? I think it's insightful satire.

    As a firefighter, we are taught "Forcible Entry", because we may show up to a burning house and the homeowner may be able to answer the door. The first words out of the instructors mouth, Day 1, "locks keep honest people honest." Simple and profound.

    Seems like the front door to your house and the front door to your phone are only as safe, as the moral society in which you live allows.

  13. Re:wow by marcgvky · · Score: 1

    .... show up to a burning house and the homeowner may be able to answer the door.....

    Ehem, may NOT be able to answer the door. LOL Too early for posting... need coffee.

  14. NO GYROSCOPE IN PHONES by flargleblarg · · Score: 1

    For fuck's sake! There are no goddamn gyroscopes in mobile devices. What's used are accelerometers, which are non-spinning. Gyroscopes spin.

    1. Re:NO GYROSCOPE IN PHONES by Wolfrider · · Score: 1

      --Easy solution: OS Disable the accelerometer when prompting for a pass code.

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  15. PIN layout scrambling defeats this? by Athanasius · · Score: 1

    From the description the method is detecting which part of the screen you tap on. Thus if you use PIN keypad layout scrambling, such as in LineageOS they still won't know which digit you were tapping each time.

  16. Good thing this does not apply by Bartles · · Score: 1

    Because phones don't have gyroscopes. They have accelerometers.