Modern mobile devices are full of sensors (i.e. GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC) that could be exploited by hackers to gather data about owner’s activities?
A group of researchers from Newcastle University demonstrated that hackers can potentially guess PINs and passwords entered by the owner of the mobile device while authenticating itself on a website or an app. The technique devised by the experts has a surprising degree of accuracy, experts can monitor the angle and motion of the phone while the owner is typing a secret code.
Unfortunately, mobile phones don’t restrict websites and apps from accessing sensors’ data.
“Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer,” reads the paper titled “Stealing PINs via mobile sensors: actual risk versus user perception” that was published by the experts.
“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”
Researchers were able to acquire data from around 25 sensors in a smartphone.
Below a video PoC of the attack devised by the researchers, the experts developed a malicious script to collect sensor data from an iOS device.
The script can be embedded in a mobile app or loaded on a website visited by the victims. This means that attackers just have to trick victims into visiting a malicious website either installing a malicious app.
At this point, everytime a victim types on the phone while visiting the website or using the malicious app in the background of the device, the malicious script will access data from the sensors and record information that could be used to guess a PIN or a password.
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy. These results were obtained using data logged from 50 devices and by using information collected from just motion and orientation sensors, these specific categories of sensors do not require any special permission to access.
The researchers reported their findings to leading browser providers such as Google and Apple, Mozilla and Safari have already partially fixed the issue. Anyway the researchers are working with companies in the IT industry to find a proper solution to definitively mitigate such kind of attacks.
(Security Affairs – mobile, sensors)