The way you tilt your mobile while you're using it could allow hackers to steal your pin numbers and passwords, according to new research.
Experts at Newcastle University analysed the movement of a smartphone as the keyboard was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth guess.
[...] Dr Maryam Mehrnezhad, from the university's school of computing science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc).
"But because mobile apps and websites don't need to ask permission to access most of them, malicious programmes can covertly 'listen in' on your sensor data." The team said it was able to identify 25 different sensors which come as standard on most devices.
[...] "And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
[...] The researchers found that everything you do - from clicking, scrolling and holding to tapping - led to people holding their phone in a unique way. So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted.
The pre-publication paper on arxiv adds examples of using iframes or additional tabs to capture sensor data when inputting passwords on webpages.
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 12 2017, @09:00AM (6 children)
Can't this be easily defeated by randomizing the on-screen keyboard for every character?
(Score: 3, Informative) by Nerdfest on Wednesday April 12 2017, @11:09AM
Yes, and that works for screen smudge attacks as well. I think people find it inconvenient.
(Score: 2) by EvilSS on Wednesday April 12 2017, @01:26PM (2 children)
(Score: 2) by urza9814 on Wednesday April 12 2017, @06:43PM (1 child)
I think there's some differences in what you're discussing vs what the article is about, but what you seem to be describing works quite well. Android phones have had the ability to randomize the unlock keypad for a while. I have it enabled on my phone, so every time I go to unlock it the keypad is different. But it's not a problem, it doesn't cause me to mistype my code or forget it or get locked out or anything like that. Although I *do* have problems switching numbers from a phone to a PC numpad..but I find the same effect doesn't happen on the smartphone, probably because of the lack of tactile feedback. You can't feel the keys, so you can't do it blind. And if you have to look at the screen and find the right number already, it doesn't really change that process if you move those numbers around a bit.
But the article seems to be talking about websites, meaning we're probably not talking about a pin pad but a full keyboard. That's a much harder thing to randomize. It's difficult to even change in the first place (try finding a GOOD Android keyboard that supports Dvorak...) And even if you could change it, finding the right one in a hundred keys is a lot harder than one in ten, and you're probably typing something longer than a six digit pin which multiplies the problem further.
Maybe just move the entire keyboard? With the large screens on some modern phones you could have a ~1 key width gutter around the edges of the keyboard, and it could randomly jump left/right/up/down on each keypress. Not as good as randomizing the whole thing, and it would still be easy to guess if you're typing dictionary words, but it'd help with a random password. Would cause some minor difficulty for swipe keyboards though.
Or you could just not give every random app permission to read those sensors...unfortunately even custom Android roms don't seem to have the ability to do that...
(Score: 3, Informative) by EvilSS on Wednesday April 12 2017, @08:17PM
Table of findings : https://blogs.ncl.ac.uk/security/files/2016/02/1.png [ncl.ac.uk]
So both in browser passwords and lock screen PINS as well as other apps as they were able to run in the background.
(Score: 2) by kaszz on Wednesday April 12 2017, @02:50PM
I like the idea. The question is how much software rope arts that will be needed to accomplish it. As the screen lock software which is a security component has to be rewritten. Ie can one put ones own software into that function.
(Score: 2) by bob_super on Wednesday April 12 2017, @06:25PM
Can't this be easily defeated by not letting browser javascript sniff your sensors?
And also, prevent accelerometer reading during pin/password entry?
Actual solutions to the root of the problem...