from the didn't-learn-lessons-from-pinball dept.
The way you tilt your mobile while you're using it could allow hackers to steal your pin numbers and passwords, according to new research.
Experts at Newcastle University analysed the movement of a smartphone as the keyboard was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth guess.
[...] Dr Maryam Mehrnezhad, from the university's school of computing science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc).
"But because mobile apps and websites don't need to ask permission to access most of them, malicious programmes can covertly 'listen in' on your sensor data." The team said it was able to identify 25 different sensors which come as standard on most devices.
[...] "And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
[...] The researchers found that everything you do - from clicking, scrolling and holding to tapping - led to people holding their phone in a unique way. So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted.
The pre-publication paper on arxiv adds examples of using iframes or additional tabs to capture sensor data when inputting passwords on webpages.
(Score: 3, Informative) by maxwell demon on Wednesday April 12 2017, @07:13AM (2 children)
When linking to arXiv, please link to the abstract page (I would have linked to a previous comment which explains in detail why, but the SN search function seems to be seriously broken).
The abstract link is: https://arxiv.org/abs/1602.04115 [arxiv.org]
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by kazzie on Wednesday April 12 2017, @08:51AM
As the submitter, I'll bear that in mind. I just used the PDF link that was cited by the BBC.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @12:43PM
Try this one [soylentnews.org] or this one. [soylentnews.org]
(Score: 2) by Rosco P. Coltrane on Wednesday April 12 2017, @07:24AM (9 children)
My pin number is 1111. Figure it out from accelerometer data, suckers...
(Score: 2) by arslan on Wednesday April 12 2017, @07:45AM (7 children)
You joke, but it is probably easier to just look over the shoulder of folks in a crowded area to figure it out, no need for all this high tech nonsense....
(Score: 3, Funny) by Rosco P. Coltrane on Wednesday April 12 2017, @08:05AM
Come to think of it, the best defeat method against both sensor-based and over-the shoulder snooping might be holding your cell phone like Michael J. Fox...
(Score: 2) by kazzie on Wednesday April 12 2017, @08:56AM (4 children)
Sure, but this can be done remotely, and on a large scale.
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 12 2017, @09:33AM (3 children)
True, true. And what good is my PIN if you already have remote access to my phone?
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @05:20PM (2 children)
Did you RTFS? He's talking about the fact you can do this with javascript running in an unexploited web browser. All someone has to do is get their javascript loaded somehow (probably involving an ad network), in some tab, and wait for you to enter passwords/PINs/etc. in another tab or outside the browser; the attacker doesn't have "remote access" in any usual sense.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:21PM
Well, it looks like Apple patched this [appleinsider.com] last year.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @09:42PM
Let's see ... either they have remote access to your phone or they don't (in this case the don't have "remote access" but can theoretically get your PIN). But what good is your PIN if they do not have physical access to the phone? And if they actually have remote access to your phone what good is your PIN?
(Score: 2) by Nerdfest on Wednesday April 12 2017, @11:07AM
Not for the NSA. Well, I guess they do have satellites.
(Score: 2) by isostatic on Wednesday April 12 2017, @01:52PM
Voice recognition. I just say "Destruct Sequence One, code One, One-A"
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 12 2017, @09:00AM (6 children)
Can't this be easily defeated by randomizing the on-screen keyboard for every character?
(Score: 3, Informative) by Nerdfest on Wednesday April 12 2017, @11:09AM
Yes, and that works for screen smudge attacks as well. I think people find it inconvenient.
(Score: 2) by EvilSS on Wednesday April 12 2017, @01:26PM (2 children)
(Score: 2) by urza9814 on Wednesday April 12 2017, @06:43PM (1 child)
I think there's some differences in what you're discussing vs what the article is about, but what you seem to be describing works quite well. Android phones have had the ability to randomize the unlock keypad for a while. I have it enabled on my phone, so every time I go to unlock it the keypad is different. But it's not a problem, it doesn't cause me to mistype my code or forget it or get locked out or anything like that. Although I *do* have problems switching numbers from a phone to a PC numpad..but I find the same effect doesn't happen on the smartphone, probably because of the lack of tactile feedback. You can't feel the keys, so you can't do it blind. And if you have to look at the screen and find the right number already, it doesn't really change that process if you move those numbers around a bit.
But the article seems to be talking about websites, meaning we're probably not talking about a pin pad but a full keyboard. That's a much harder thing to randomize. It's difficult to even change in the first place (try finding a GOOD Android keyboard that supports Dvorak...) And even if you could change it, finding the right one in a hundred keys is a lot harder than one in ten, and you're probably typing something longer than a six digit pin which multiplies the problem further.
Maybe just move the entire keyboard? With the large screens on some modern phones you could have a ~1 key width gutter around the edges of the keyboard, and it could randomly jump left/right/up/down on each keypress. Not as good as randomizing the whole thing, and it would still be easy to guess if you're typing dictionary words, but it'd help with a random password. Would cause some minor difficulty for swipe keyboards though.
Or you could just not give every random app permission to read those sensors...unfortunately even custom Android roms don't seem to have the ability to do that...
(Score: 3, Informative) by EvilSS on Wednesday April 12 2017, @08:17PM
Table of findings : https://blogs.ncl.ac.uk/security/files/2016/02/1.png [ncl.ac.uk]
So both in browser passwords and lock screen PINS as well as other apps as they were able to run in the background.
(Score: 2) by kaszz on Wednesday April 12 2017, @02:50PM
I like the idea. The question is how much software rope arts that will be needed to accomplish it. As the screen lock software which is a security component has to be rewritten. Ie can one put ones own software into that function.
(Score: 2) by bob_super on Wednesday April 12 2017, @06:25PM
Can't this be easily defeated by not letting browser javascript sniff your sensors?
And also, prevent accelerometer reading during pin/password entry?
Actual solutions to the root of the problem...