Smartphone Password Vulnerability Discovered

A study from Nanyang Technological University, Singapore (NTU Singapore) has found a new security breach that hackers could use to guess your phone’s PIN code, using the phone’s physical sensors data.

Sensors in smartphones, like the accelerometer, gyroscope and proximity sensors represent a potential security vulnerability, according to electronics360.globalspec.com.

With a combination of information that was gathered from six different sensors from smartphones and state-of-the-art machine learning and deep learning algorithms, the researchers from NTU have succeeded in unlocking smartphones using the Android operating system with 99.5 percent accuracy within three tries when attempting to unlock a phone with one of the 50 most common PIN numbers.

Before this latest study, the best phone-cracking success rate was 74 percent for the 50 most common PIN numbers, but NTU’s technique can be used to guess all 10,000 possible combinations of four-digit PINs.

The team was led by Dr. Shivam Bhasin, senior research scientist at the Temasek Laboratories at NTU. The researchers used sensors in a smartphone to model which number had been pressed by the owner, based on how the phone was tilted and how much light is blocked by the thumb or fingers. 

The team took Android phones and installed a custom application that collected data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer and ambient light sensor. “When you hold your phone  and key in the PIN, the way the phone moves when you press one, five, or nine, is very different.  Likewise, pressing one with your right thumb will block more light than if you pressed nine,” explains Dr. Bhasin, who spent 10 months with his colleagues, Mr. David Berend and Dr. Bernhard Jungk, on the project.

The classification algorithm was trained with data that was collected from three people who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions.

Using deep learning, the classification algorithm was able to give different weights of importance to each of the sensors, depending on how sensitive each was to the different numbers being pressed. This helps eliminate factors that it believes is less important and increases the success rate for PIN retrieval.

Even though each individual enters the security PIN on their phone differently, the scientists show that as data from more people is fed to the algorithm, success rates are improved.

While a malicious application might not be able to guess a PIN correctly right after installation, with machine learning it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher.

Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, said this study shows how devices with seemingly strong security can be attacked with a side-channel, as a sensor data could be diverted by malicious applications to spy on user behavior and help access PIN, password information and more. “Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behavior. This has significant privacy implications that both individuals and enterprises should pay urgent attention to,” said Lip.

Dr. Bhasin believes it would be advisable for mobile operating systems to restrict access to the six sensors in the future so that users can actively choose to give permissions only to trusted apps that need them.

In order to keep your mobile devices secure, Dr. Bhasin says that users should have PINs with more than four digits with other authentication methods like one-time passwords, two-factor authentication and fingerprint or facial recognition.

I-HLS

You Might Also Read:

Mobile Battery Tracks You Online:

No Phone Is Safe from Hackers & Spies:
 

 

« GDPR Requirements, Deadlines And Facts
A Cyberattack Could Lead To A Nuclear Strike »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

AppRiver

AppRiver

AppRiver is a global provider of cloud-based email and web security solutions that protect businesses worldwide from today's ever-changing online threats.

Octopus Cybercrime Community

Octopus Cybercrime Community

The Octopus Community is a platform for information sharing and cooperation on cybercrime and electronic evidence.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

Yelbridges

Yelbridges

Yelbridges offer high quality IT security & risk management services to mitigate business risks.

National Cybersecurity Competence Centre (NC3) - Czech Republic

National Cybersecurity Competence Centre (NC3) - Czech Republic

NC3 has been established in response to growing demands for practically applicable products and solutions for ensuring cybersecurity of critical and non-critical information infrastructures.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

About Cyber Security.

About Cyber Security.

About Cybersecurity provides a galaxy-wide knowledge base of cybersecurity tactics and techniques derived from actual experience.

Red Sky Alliance

Red Sky Alliance

Red Sky Alliance (Wapack Labs Corp) is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

GitProtect.io

GitProtect.io

​GitProtect is a fully manageable, professional GitHub and Bitbucket backup and recovery software that protects repositories and metadata from any event of failure.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

People Driven Technology

People Driven Technology

People Driven Technology is a customer-obsessed organization. We leverage our decades of business, technology, and engineering experience to deliver outcomes for our clients.

Curatrix Technologies

Curatrix Technologies

Curatrix Technologies is a Managed IT Service provider based in Hampshire, UK, providing high quality and reliable Managed IT Services since 2015.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.

iTRUSTXForce

iTRUSTXForce

iTRUSTXForce is a global provider of DigitalX (cybersecurity, privacy, and digital trust) services. We offer comprehensive services that focus on delivering outcomes for our clients.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.