Malc0de CyberNet
Fulfill your daily dose of Security & Tech News.

Meet PINLogger: The exploit that steals smartphone PINs

Researchers reveal how mobile sensors can be used to extract sensitive personal information.

0 498

Smartphones have become so ubiquitous that they are being virtually used as wearable monitors. The built-in sensors that phones boast of, have made access and self-monitoring, specially for fitness, much easier. Researchers have now revealed that these very sensors can be used to extract sensitive personal information.

Researchers from Newcastle University, UK, demonstrated such an instance using an attack code they wrote, called PINLogger.js. The Javascript could easily read the user input based on sensor data, without showing any external signs of such action.

This goes on to show how malicious webpages can potentially provide access for attackers to extricate data collected by sensors. Legitimate sites can serve malicious ads or contents through HTML-based iframe tags. These ads can be fed with simple JavaScript codes that access motion and orientation sensors built into almost all devices.

How Sensitive Data is Collected

Sensors like accelerometer and gyroscope sensors, if used well, can provide precise details about an individual. Such details include the exact time of phone calls, movement speeds, etc.

In fact, research shows the possibility of deploying tactics to steal user PINs by using mobile sensors.

While sensors reveal a plethora of information, the keystrokes being entered are almost certainly the most sensitive.

Data that can be extracted from it include personal identification numbers used to unlock devices or to log in to sites that are protected by two-factor authentication. Keylogging attacks are most successful at guessing four-digit pins, with a surprising accuracy of 74% on the first try.

A random guess may only have a 2% chance of hitting the jackpot. But clubbing artificial neural network training with data from sensors reaches a success rate of nearly 100% in five attempts.  

The researchers performed a separate round of training that evaluated all possible four-digit PINs. The first mode, known as multiple-users mode, was trained using several subjects. The other mode, known as same-user mode, relied on the training of the individual being targeted in the attack.

The results in our multiple-users mode indicate that we can infer the digits with a success probability of 70.75, 83.27, and 94.03 percent in the first, second, and third attempts, respectively. This means that for a 4-digit PIN and based on the obtained sensor data, the attacker can guess the PIN from a set of 34 = 81 possible PINs with a probability of success of 0.92064 = 71.82 percent. A random attack, however, can only predict the 4-digit PIN with the probability of 0.81 percent in 81 attempts. By comparison, PINlogger.js achieves a dramatically higher success rate than a random attacker.

Susceptible Browsers

The extent to which data can be extracted varies with the amount of sensor access in different browsers.

Browser provided by Chinese-US Web services company Baidu has the greatest access to sensors. Hence, it has the most chances of passing sensitive data from malicious websites open directly or in background tabs, even when the device screen is off.

Meanwhile, the Google browser for iOS is known to block access to all sites loaded into background tabs. Chrome for Android too, only show signs of vulnerability if a malicious website is directly loaded. Similar traits appeared in Firefox and Safari, except that Safari on iOS could access codes while device screen was locked.

Mobile browser access to the orientation and motion sensor data on Android and iOS under different conditions. A yes (in italics) indicates a possible security leakage vector. A yes (in italics and underlined) indicates a possible security leakage vector only in the case when the browser was active before the screen is locked. Credits: Mehrnezhad, et al.

Possible Solutions

The results of the study were sent to  Chrome, Firefox, Safari, and Opera. Mozilla issued a partial fix in version 46, which restricted JavaScript access to motion and orientation sensors same-origin iframes. Safari took a similar countermeasure by suspending the availability of motion and orientation data when a page is hidden. Chrome developers have also addressed the situation.

While these updates reduced vulnerability, they had to compromise with some features provided by fitness websites. There seems to be no definitive solution to fortify websites without taking away certain features.

Access to mobile sensor data via JavaScript is limited to only a few sensors at present. As the access expands, with IoT becoming a rapidly developing field, more vulnerabilities might evolve. Till a solution is reached, openings remain for attackers.

Hence, designing a general mechanism for secure and usable sensor data management remains a crucial open problem for future research.