TECH
02/01/2018 11:31 GMT

Researchers Can Guess Your Phone Pin Using Information You Think Is Harmless

Time to get more secure?

So you’ve finally changed your smartphone password from 1234, and you’re feeling like your security measures are pretty robust.

But turns out malicious hackers could actually figure out your mobile passcode using easily accessible data that you have no control over.

And the method is successful in 99.5% of cases, according to the experts.

Wachiwit via Getty Images

The new study found that sensor data from instruments such as the accelerometer, which indicates when you’ve turned your device horizontally or vertically, has huge potential to be turned into a “security vulnerability”.

The team from the Nanyang Technological University, Singapore believe their work highlights a significant flaw in smartphone security.

Professor Gan Chee Lip, said: “This has significant privacy implications that both individuals and enterprises should pay urgent attention to.”

Looking at data from six different sensors on your phone - accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor - they succeeded in unlocking Androids with nearly 100% accuracy within three tries.

The previous best phone-cracking success rate awas 74% for the 50 most common PIN numbers, whereas this new technique can be used to guess all 10,000 possible combinations of four-digit PINs.

Dr Shivam Bhasin explained how the technique works based on phone movements and light reaching the screen: “When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. 

“Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.”

The algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions.

It was then able to give different weightings of importance to each of the sensors.

So while a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time and then launch an attack later when the success rate is much higher.

Along with the potential for leaking passwords, the researchers are concerned that access to phone sensor information could reveal far too much about a user’s behaviour.

The team said it would be “advisable” for mobile operating systems to restrict access to these six sensors in future as currently they require no permissions by phone user for apps to access.