Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday April 12 2017, @06:23AM   Printer-friendly
from the didn't-learn-lessons-from-pinball dept.

The way you tilt your mobile while you're using it could allow hackers to steal your pin numbers and passwords, according to new research.

Experts at Newcastle University analysed the movement of a smartphone as the keyboard was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth guess.

[...] Dr Maryam Mehrnezhad, from the university's school of computing science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc).

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programmes can covertly 'listen in' on your sensor data." The team said it was able to identify 25 different sensors which come as standard on most devices.

[...] "And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

[...] The researchers found that everything you do - from clicking, scrolling and holding to tapping - led to people holding their phone in a unique way. So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted.

The pre-publication paper on arxiv adds examples of using iframes or additional tabs to capture sensor data when inputting passwords on webpages.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Wednesday April 12 2017, @09:00AM (6 children)

    by Anonymous Coward on Wednesday April 12 2017, @09:00AM (#492669)

    Can't this be easily defeated by randomizing the on-screen keyboard for every character?

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 3, Informative) by Nerdfest on Wednesday April 12 2017, @11:09AM

    by Nerdfest (80) on Wednesday April 12 2017, @11:09AM (#492689)

    Yes, and that works for screen smudge attacks as well. I think people find it inconvenient.

  • (Score: 2) by EvilSS on Wednesday April 12 2017, @01:26PM (2 children)

    by EvilSS (1456) Subscriber Badge on Wednesday April 12 2017, @01:26PM (#492729)
    It would, but I don't think it would work for practical reasons. Most people type numbers like PINs and phone numbers they know well by pattern. If you are old enough to have used a regular old telephone and have to remember phone numbers ('member when your friends numbers lived in your head?) you probably recall what it was like to try to type one of those phone numbers on a PC using the numpad. There was an awkward feel to it as you had to recall the actual numbers and think about it vs doing it by muscle memory. And that's just from flipping 1-9. Randomize them and I bet most people would end up locked out of their phones at some point.
    • (Score: 2) by urza9814 on Wednesday April 12 2017, @06:43PM (1 child)

      by urza9814 (3954) on Wednesday April 12 2017, @06:43PM (#492975) Journal

      I think there's some differences in what you're discussing vs what the article is about, but what you seem to be describing works quite well. Android phones have had the ability to randomize the unlock keypad for a while. I have it enabled on my phone, so every time I go to unlock it the keypad is different. But it's not a problem, it doesn't cause me to mistype my code or forget it or get locked out or anything like that. Although I *do* have problems switching numbers from a phone to a PC numpad..but I find the same effect doesn't happen on the smartphone, probably because of the lack of tactile feedback. You can't feel the keys, so you can't do it blind. And if you have to look at the screen and find the right number already, it doesn't really change that process if you move those numbers around a bit.

      But the article seems to be talking about websites, meaning we're probably not talking about a pin pad but a full keyboard. That's a much harder thing to randomize. It's difficult to even change in the first place (try finding a GOOD Android keyboard that supports Dvorak...) And even if you could change it, finding the right one in a hundred keys is a lot harder than one in ten, and you're probably typing something longer than a six digit pin which multiplies the problem further.

      Maybe just move the entire keyboard? With the large screens on some modern phones you could have a ~1 key width gutter around the edges of the keyboard, and it could randomly jump left/right/up/down on each keypress. Not as good as randomizing the whole thing, and it would still be easy to guess if you're typing dictionary words, but it'd help with a random password. Would cause some minor difficulty for swipe keyboards though.

      Or you could just not give every random app permission to read those sensors...unfortunately even custom Android roms don't seem to have the ability to do that...

      • (Score: 3, Informative) by EvilSS on Wednesday April 12 2017, @08:17PM

        by EvilSS (1456) Subscriber Badge on Wednesday April 12 2017, @08:17PM (#493038)
        The article isn't super clear about it but they were able to detect motion while the screen was locked on some third party browsers on both iOS and Android.

        Table of findings : https://blogs.ncl.ac.uk/security/files/2016/02/1.png [ncl.ac.uk]

        So both in browser passwords and lock screen PINS as well as other apps as they were able to run in the background.
  • (Score: 2) by kaszz on Wednesday April 12 2017, @02:50PM

    by kaszz (4211) on Wednesday April 12 2017, @02:50PM (#492786) Journal

    I like the idea. The question is how much software rope arts that will be needed to accomplish it. As the screen lock software which is a security component has to be rewritten. Ie can one put ones own software into that function.

  • (Score: 2) by bob_super on Wednesday April 12 2017, @06:25PM

    by bob_super (1357) on Wednesday April 12 2017, @06:25PM (#492968)

    Can't this be easily defeated by not letting browser javascript sniff your sensors?
    And also, prevent accelerometer reading during pin/password entry?

    Actual solutions to the root of the problem...