Meet PINLogger: The exploit that steals smartphone PINs
Researchers reveal how mobile sensors can be used to extract sensitive personal information.
Smartphones have become so ubiquitous that they are being virtually used as wearable monitors. The built-in sensors that phones boast of, have made access and self-monitoring, specially for fitness, much easier. Researchers have now revealed that these very sensors can be used to extract sensitive personal information.
How Sensitive Data is Collected
Sensors like accelerometer and gyroscope sensors, if used well, can provide precise details about an individual. Such details include the exact time of phone calls, movement speeds, etc.
In fact, research shows the possibility of deploying tactics to steal user PINs by using mobile sensors.
While sensors reveal a plethora of information, the keystrokes being entered are almost certainly the most sensitive.
Data that can be extracted from it include personal identification numbers used to unlock devices or to log in to sites that are protected by two-factor authentication. Keylogging attacks are most successful at guessing four-digit pins, with a surprising accuracy of 74% on the first try.
A random guess may only have a 2% chance of hitting the jackpot. But clubbing artificial neural network training with data from sensors reaches a success rate of nearly 100% in five attempts.
The researchers performed a separate round of training that evaluated all possible four-digit PINs. The first mode, known as multiple-users mode, was trained using several subjects. The other mode, known as same-user mode, relied on the training of the individual being targeted in the attack.
The results in our multiple-users mode indicate that we can infer the digits with a success probability of 70.75, 83.27, and 94.03 percent in the first, second, and third attempts, respectively. This means that for a 4-digit PIN and based on the obtained sensor data, the attacker can guess the PIN from a set of 34 = 81 possible PINs with a probability of success of 0.92064 = 71.82 percent. A random attack, however, can only predict the 4-digit PIN with the probability of 0.81 percent in 81 attempts. By comparison, PINlogger.js achieves a dramatically higher success rate than a random attacker.
The extent to which data can be extracted varies with the amount of sensor access in different browsers.
Browser provided by Chinese-US Web services company Baidu has the greatest access to sensors. Hence, it has the most chances of passing sensitive data from malicious websites open directly or in background tabs, even when the device screen is off.
Meanwhile, the Google browser for iOS is known to block access to all sites loaded into background tabs. Chrome for Android too, only show signs of vulnerability if a malicious website is directly loaded. Similar traits appeared in Firefox and Safari, except that Safari on iOS could access codes while device screen was locked.
While these updates reduced vulnerability, they had to compromise with some features provided by fitness websites. There seems to be no definitive solution to fortify websites without taking away certain features.
Hence, designing a general mechanism for secure and usable sensor data management remains a crucial open problem for future research.