Stories
Slash Boxes
Comments

SoylentNews is people

Tilt Sensors Can Leak Your Phone's Password

posted by martyb on Wednesday April 12 2017, @06:23AM   Printer-friendly
from the didn't-learn-lessons-from-pinball dept.

kazzie writes:

The way you tilt your mobile while you're using it could allow hackers to steal your pin numbers and passwords, according to new research.

Experts at Newcastle University analysed the movement of a smartphone as the keyboard was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth guess.

[...] Dr Maryam Mehrnezhad, from the university's school of computing science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc).

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programmes can covertly 'listen in' on your sensor data." The team said it was able to identify 25 different sensors which come as standard on most devices.

[...] "And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

[...] The researchers found that everything you do - from clicking, scrolling and holding to tapping - led to people holding their phone in a unique way. So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted.

The pre-publication paper on arxiv adds examples of using iframes or additional tabs to capture sensor data when inputting passwords on webpages.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Tilt Sensors Can Leak Your Phone's Password | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @05:20PM (2 children)

    by Anonymous Coward on Wednesday April 12 2017, @05:20PM (#492903)

    Did you RTFS? He's talking about the fact you can do this with javascript running in an unexploited web browser. All someone has to do is get their javascript loaded somehow (probably involving an ad network), in some tab, and wait for you to enter passwords/PINs/etc. in another tab or outside the browser; the attacker doesn't have "remote access" in any usual sense.

  • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:21PM

    by Anonymous Coward on Wednesday April 12 2017, @09:21PM (#493070)

    Well, it looks like Apple patched this [appleinsider.com] last year.

  • (Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:42PM

    by Anonymous Coward on Wednesday April 12 2017, @09:42PM (#493083)

    Let's see ... either they have remote access to your phone or they don't (in this case the don't have "remote access" but can theoretically get your PIN). But what good is your PIN if they do not have physical access to the phone? And if they actually have remote access to your phone what good is your PIN?