Smartphone Password Vulnerability Discovered

Uploaded on 2018-01-11 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A study from Nanyang Technological University, Singapore (NTU Singapore) has found a new security breach that hackers could use to guess your phone’s PIN code, using the phone’s physical sensors data.

Sensors in smartphones, like the accelerometer, gyroscope and proximity sensors represent a potential security vulnerability, according to electronics360.globalspec.com.

With a combination of information that was gathered from six different sensors from smartphones and state-of-the-art machine learning and deep learning algorithms, the researchers from NTU have succeeded in unlocking smartphones using the Android operating system with 99.5 percent accuracy within three tries when attempting to unlock a phone with one of the 50 most common PIN numbers.

Before this latest study, the best phone-cracking success rate was 74 percent for the 50 most common PIN numbers, but NTU’s technique can be used to guess all 10,000 possible combinations of four-digit PINs.

The team was led by Dr. Shivam Bhasin, senior research scientist at the Temasek Laboratories at NTU. The researchers used sensors in a smartphone to model which number had been pressed by the owner, based on how the phone was tilted and how much light is blocked by the thumb or fingers. 

The team took Android phones and installed a custom application that collected data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer and ambient light sensor. “When you hold your phone  and key in the PIN, the way the phone moves when you press one, five, or nine, is very different.  Likewise, pressing one with your right thumb will block more light than if you pressed nine,” explains Dr. Bhasin, who spent 10 months with his colleagues, Mr. David Berend and Dr. Bernhard Jungk, on the project.

The classification algorithm was trained with data that was collected from three people who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions.

Using deep learning, the classification algorithm was able to give different weights of importance to each of the sensors, depending on how sensitive each was to the different numbers being pressed. This helps eliminate factors that it believes is less important and increases the success rate for PIN retrieval.

Even though each individual enters the security PIN on their phone differently, the scientists show that as data from more people is fed to the algorithm, success rates are improved.

While a malicious application might not be able to guess a PIN correctly right after installation, with machine learning it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher.

Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, said this study shows how devices with seemingly strong security can be attacked with a side-channel, as a sensor data could be diverted by malicious applications to spy on user behavior and help access PIN, password information and more. “Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behavior. This has significant privacy implications that both individuals and enterprises should pay urgent attention to,” said Lip.

Dr. Bhasin believes it would be advisable for mobile operating systems to restrict access to the six sensors in the future so that users can actively choose to give permissions only to trusted apps that need them.

In order to keep your mobile devices secure, Dr. Bhasin says that users should have PINs with more than four digits with other authentication methods like one-time passwords, two-factor authentication and fingerprint or facial recognition.

I-HLS

You Might Also Read:

Mobile Battery Tracks You Online:

No Phone Is Safe from Hackers & Spies:
 

 

« GDPR Requirements, Deadlines And Facts
A Cyberattack Could Lead To A Nuclear Strike »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

SealPath

SealPath

SealPath enables companies to protect and control their documents wherever they are: In their PC, in their corporate network, on a partner’s network, in the cloud.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Atos

Atos

Atos provides a unique Cyber Security end to end solution with a data-centric and pre-emptive security approach.

CERT-AM

CERT-AM

CERT-AM is the national Computer Emergency Response Team for Armenia.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

SCADAfence

SCADAfence

SCADAfence offers cutting edge cybersecurity solutions designed to ensure the operational continuity of industrial (ICS/SCADA) networks.

Axence

Axence

Axence provides professional solutions for the comprehensive management of IT infrastructure for companies and institutions all over the world.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Radically Open Security

Radically Open Security

Radically Open Security is the world's first not-for-profit computer security consultancy company.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

LeadingIT

LeadingIT

Leading IT provides IT support, cloud computing, email support, cybersecurity, networking and firewall services to Chicagoland businesses.

CYOSS

CYOSS

CYOSS, an ESG Group company, is a specialist in Cyber Security and Data Analytics. We focus on the opportunities of a networked world and make security risks manageable.

X Technologies

X Technologies

X Technologies provide world-class engineering, information technology, information security, program management and repair services to Federal, State and commercial customers.

Microminder Cyber Security

Microminder Cyber Security

Microminder Cyber Security are innovators, advisors, strategists committed to solving your cyber security challenges.

Readynez

Readynez

Readynez is the digital skills concierge service that helps you ensure your workforce has the tech skills and resources needed to stay ahead of the digital curve.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.