Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scientists Prove Your Phone's PIN Can Be Stolen Using Its Gyroscope Data (digitaltrends.com)

Posted by BeauHD on from the less-secure-than-previously-thought dept.

A team of scientists at Newcastle University in the UK managed to reveal a user's phone PIN code using its gyroscope data. "In one test, the team cracked a passcode with 70 percent accuracy," reports Digital Trends. "By the fifth attempt, the accuracy had gone up to 100 percent." From the report: It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers' algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device's sensors without requesting permission. The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number -- such as the camera and GPS -- ask the user's permission before granting access to that data. It's precise enough to track behavior. Using an "orientation" and "emotion trace" data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing. The paper has been published in International Journal of Information Security.

6 of 61 comments (clear)

  1. It was a inside job! by LesFerg · · Score: 2

    So they are saying that if a malicious compromising app is already installed and running on your phone, then your phone could be compromised?
    Were they on salary while determining this?

    --
    If I had a DeLorean... I would probably only drive it from time to time.
  2. Old tech ... by Misagon · · Score: 2

    Long before touch-screens with capacitative sensing became commonplace there were some touch-screens systems that used a gyroscope as its sensor to sense how much the screen rocked when a user touched it.
    It was very crude and inaccurate compared to other approaches but it could be mounted to most regular CRT computer monitors.

    Unfortunately I have sold off my computer magazines from the early '90s so I can't look up the name of the manufacturer.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
  3. Escalation by dbIII · · Score: 2

    Escalation of access is still an issue.
    Personally I see the moral of the story as being the old one that security is weakened if you have to use the access method very frequently. That's one of the reasons why alarm systems often have a different code for each user instead of ending up with four numbers almost worn off the keypad after a few years.
    How many days would elapse before the user had entered their PIN fifty times in their phone? I don't think it would be a very long time and the malware can wait.

  4. I kinda have to call bullshit on this by Snotnose · · Score: 4, Insightful

    If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

    You really wanna tell me my gyroscope is in the same position in all these scenarios?

  5. Simpler method by religionofpeas · · Score: 2

    Just make an app that occasionally shows a fake unlock screen, and just capture the touches.

  6. Re:wow by marcgvky · · Score: 2

    1. write iphone app 2. record sensor data 3. sell PINs 4. profit!

    Why did his statement get voted down? I think it's insightful satire.

    As a firefighter, we are taught "Forcible Entry", because we may show up to a burning house and the homeowner may be able to answer the door. The first words out of the instructors mouth, Day 1, "locks keep honest people honest." Simple and profound.

    Seems like the front door to your house and the front door to your phone are only as safe, as the moral society in which you live allows.