Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday April 12 2017, @06:23AM   Printer-friendly
from the didn't-learn-lessons-from-pinball dept.

The way you tilt your mobile while you're using it could allow hackers to steal your pin numbers and passwords, according to new research.

Experts at Newcastle University analysed the movement of a smartphone as the keyboard was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth guess.

[...] Dr Maryam Mehrnezhad, from the university's school of computing science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc).

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programmes can covertly 'listen in' on your sensor data." The team said it was able to identify 25 different sensors which come as standard on most devices.

[...] "And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

[...] The researchers found that everything you do - from clicking, scrolling and holding to tapping - led to people holding their phone in a unique way. So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted.

The pre-publication paper on arxiv adds examples of using iframes or additional tabs to capture sensor data when inputting passwords on webpages.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Rosco P. Coltrane on Wednesday April 12 2017, @07:24AM (9 children)

    by Rosco P. Coltrane (4757) on Wednesday April 12 2017, @07:24AM (#492648)

    My pin number is 1111. Figure it out from accelerometer data, suckers...

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by arslan on Wednesday April 12 2017, @07:45AM (7 children)

    by arslan (3462) on Wednesday April 12 2017, @07:45AM (#492654)

    You joke, but it is probably easier to just look over the shoulder of folks in a crowded area to figure it out, no need for all this high tech nonsense....

    • (Score: 3, Funny) by Rosco P. Coltrane on Wednesday April 12 2017, @08:05AM

      by Rosco P. Coltrane (4757) on Wednesday April 12 2017, @08:05AM (#492661)

      Come to think of it, the best defeat method against both sensor-based and over-the shoulder snooping might be holding your cell phone like Michael J. Fox...

    • (Score: 2) by kazzie on Wednesday April 12 2017, @08:56AM (4 children)

      by kazzie (5309) Subscriber Badge on Wednesday April 12 2017, @08:56AM (#492668)

      Sure, but this can be done remotely, and on a large scale.

      • (Score: 1, Insightful) by Anonymous Coward on Wednesday April 12 2017, @09:33AM (3 children)

        by Anonymous Coward on Wednesday April 12 2017, @09:33AM (#492674)

        True, true. And what good is my PIN if you already have remote access to my phone?

        • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @05:20PM (2 children)

          by Anonymous Coward on Wednesday April 12 2017, @05:20PM (#492903)

          Did you RTFS? He's talking about the fact you can do this with javascript running in an unexploited web browser. All someone has to do is get their javascript loaded somehow (probably involving an ad network), in some tab, and wait for you to enter passwords/PINs/etc. in another tab or outside the browser; the attacker doesn't have "remote access" in any usual sense.

          • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:21PM

            by Anonymous Coward on Wednesday April 12 2017, @09:21PM (#493070)

            Well, it looks like Apple patched this [appleinsider.com] last year.

          • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:42PM

            by Anonymous Coward on Wednesday April 12 2017, @09:42PM (#493083)

            Let's see ... either they have remote access to your phone or they don't (in this case the don't have "remote access" but can theoretically get your PIN). But what good is your PIN if they do not have physical access to the phone? And if they actually have remote access to your phone what good is your PIN?

    • (Score: 2) by Nerdfest on Wednesday April 12 2017, @11:07AM

      by Nerdfest (80) on Wednesday April 12 2017, @11:07AM (#492688)

      Not for the NSA. Well, I guess they do have satellites.

  • (Score: 2) by isostatic on Wednesday April 12 2017, @01:52PM

    by isostatic (365) on Wednesday April 12 2017, @01:52PM (#492743) Journal

    Voice recognition. I just say "Destruct Sequence One, code One, One-A"