David Berend, Bernhard Jungk, and Shivam Bhasin published their findings in a research paper for the International Association for Cryptologic Research (IACR). As if the security threats we face every day aren’t already enough, the trio figured out a way to unlock a victim’s smartphone within three attempts, and with a success rate of 99.5%.
The demonstrated attack works by collecting data from a smartphone’s sensors and running it through an algorithm to figure out the PIN with scary accuracy. It is laughably easy for any app installed on a smartphone to get sensor data, and it’s not something one would pay much attention to either, unlike turning off permissions for location and microphone track.
Bhasin, Berend, and Jungk loaded a custom app on an Android smartphone, which collected information from six sensors in the smartphones – accelerometer, magnetometer, ambient light sensor, gyroscope, rotation sensor, and barometer – every time they entered a PIN on their smartphone.
Security researchers from Singapore and Germany collaborated to figure out a brand new way of hacking PINs used to unlock smartphones or verify users before letting them into any apps. The method of phone hacking works by tapping into sensor data, which has been tried in the past, but not with the kind of accuracy of this latest attempt.
David Berend, Bernhard Jungk, and Shivam Bhasin published their findings in a research paper for the International Association for Cryptologic Research (IACR). As if the security threats we face every day aren’t already enough, the trio figured out a way to unlock a victim’s smartphone within three attempts, and with a success rate of 99.5%.
The demonstrated attack works by collecting data from a smartphone’s sensors and running it through an algorithm to figure out the PIN with scary accuracy. It is laughably easy for any app installed on a smartphone to get sensor data, and it’s not something one would pay much attention to either, unlike turning off permissions for location and microphone track.
Bhasin, Berend, and Jungk loaded a custom app on an Android smartphone, which collected information from six sensors in the smartphones – accelerometer, magnetometer, ambient light sensor, gyroscope, rotation sensor and barometer – every time they entered a PIN on their smartphone.
The trio had already collected the sensor data in testing for each number. Now they trained an algorithm to figure out which numbers are most likely to have been pressed for a certain set of sensor values – matched to their test models. This way, they could figure out a pin easily. How easily? They could figure out the correct pin 99.5% of the time!
Previous attempts at using this same method maxed out at 74% accuracy, so we’d say this is impressively scary. The researchers consider this a major flaw in smartphone security, since all the sensors used by the researchers’ are available to any Android app without any permission from the user, making it extremely easy for an attacker to implement a similar attack on their victim. The researchers say that smartphone apps should require explicit permissions from the users before being given access to sensor data.