For those who haven’t jumped on the Fitbit bandwagon, the internal motion sensors in smartphones are a godsend for logging things like step counts. But those same sensors are also hackers’ latest doorway to accessing your sensitive data.
Here’s how it works:
In findings published in the International Journal of Information Security, cyber experts from Newcastle University in the United Kingdom revealed hackers are able to glean PINs and passwords using the tilt data recorded by motion sensors when users enter those access keys.
Researchers demonstrated it is possible to decipher four-digit PINs with 70 percent accuracy on the first try just by analyzing motion data. That cracking figure jumps to 100 percent by the fifth guess, they found.
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer. But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs, and passwords,” Dr. Maryam Mehrnezhad, Research Fellow in the Newcastle University School of Computing Science Research Fellow and lead author on the paper, explained.
Mehrnezhad said she and her team discovered that on some browsers, when users open a page with malicious code and then open another page without closing out of the previous tab, hackers can spy on personal information. Even worse, she said, hackers can use that open page with nasty code to snoop around even when a user’s device is locked.
Mehrnezhad’s team has called the issue to the attention of dominant browser providers like Google and Apple. Some, like Mozilla Firefox and Apple Safari have come up with partial fixes, but Mehrnezhad noted a complete solution has yet to be developed.
“It’s a battle between usability and security,” she observed. “One way would be to deny access to the browser altogether but we don’t want to lose all the benefits associated with in-built motion sensors.”
You can read more about the team’s research and findings here.