A neural network helped researchers crack smartphone PINs using built-in motion sensors
A simple exploit could guess a four-digit security code with surprising accuracy
Modern smartphones have a wealth of sensors inside, from accelerometers to gyroscopes. While sensors like these make the phones more powerful—allowing you to use your phone’s orientation as an input mechanism in a video game, for example—they also present a potential way for hackers to figure out a four-digit pin, new research reveals.
Computer scientists from Newcastle University in the United Kingdom found that by monitoring sensors like the phone’s accelerometer, gyroscope, and magnetometer, which detect things like the device’s motion and orientation, they were able to figure out a user’s pin 74 percent of the time on just the first guess. That number rose to 94 percent by the third try.
The entry point for the attack to detect the PIN was a javascript exploit delivered through the browser on the phone. All a smartphone user had to do was click on a link that had malicious software that would then detect the phone’s sensor data in the background.
Maryam Mehrnezhad, a research fellow in the School of Computing Science at Newcastle University and the first author on a new study in the International Journal of Information Security, says that everyday activities like picking up your phone, walking, or running create “distinct patterns” in the sensor data. And that has privacy implications. “You don’t want, for example, an insurance company to know if you’re an active user, or you’re a lazy person,” she says.
By snooping on the sensor data when users were entering their pins, the researchers were able to infer what those four-digit codes were with a “high accuracy,” she says. To get there, first they used data from people actually keying in their pins to train an artificial neural network.
In the case of Safari, Mehrnezhad says that their method worked even when the phone was locked after the link had been clicked on, meaning that it could then detect the pin typed in to unlock the phone. “We reported it to [Apple] and they fixed it,” she says. That fix happened last year as part of the iOS 9.3 update. She adds that they told all the major browsers about the problem; Firefox, for example, said they fixed it last year. (As for the Chrome browser, a Google representative said in an email that “the team is aware and is looking into the issue.”)
The kinds of sensors that Mehrnezhad is studying are in a multitude of places, from smartphones to smart cities, she says. “And if these sensors are not managed securely and properly,” she warns, “they can reveal basically everything about you.”
Mehrnezhad’s team is not the first to show that sensors are a vulnerability—Kevin Fu, an associate professor of electrical engineering and computer science at the University of Michigan, has also demonstrated that the accelerometers in devices are a path to manipulate them, the New York Times reported last month.
“Sensors may represent the weakest link in IoT security,” Fu said, in an email, referring to the Internet of Things. “So ubiquitous, yet so untrustworthy and so poorly understood.”
This article has been updated to include a comment from a Google representative.
