According to a research conducted by NTU, hackers are able to guess the PIN on your phone by exploiting its sensor data.
Hackers may be able to unlock a smart phone by guessing the security PIN using data obtained from the many physical sensors included inside the device.
According to researchers from Nanyang Technological University, Singapore (NTU Singapore), instruments found in smart phones such as the accelerometer, gyroscope, and proximity sensors represent a potential security vulnerability. Their findings were published on December 6 in the open-access Cryptology ePrint Archive.
The researchers were able to unlock Android smart phones with a success rate of 99.5% after only three attempts when working with a phone that had one of the 50 most common PIN numbers. This was accomplished by using information gathered from six different sensors found in smart phones in conjunction with cutting-edge machine learning and deep learning algorithms.
The previous greatest success rate for hacking a phone was 74% for the 50 most frequent pin numbers; however, the method developed by NTU may be used to guess all 10,000 potential permutations of four-digit PINs.
Researchers at Temasek Laboratories @ NTU, led by Dr. Shivam Bhasin, NTU Senior Research Scientist, used sensors in a smart phone to model which number had been pressed by its users. The researchers based their model on the angle at which the phone was held as well as the amount of light that was blocked by the thumb or fingers.
The researchers feel that their study shows a serious vulnerability in the security of smart phones. This is due to the fact that accessing the sensors included inside the phones does not need the user to provide any rights, and they are readily accessible for any software to use.
The manner in which the studies were carried out
The team of researchers used Android phones and installed a unique program on each one. This application gathered data from six different sensors, including the accelerometer, gyroscope, magnetometer, proximity sensor, and barometer.
“When you hold your phone and type in the PIN, the phone moves in a totally different manner depending on whether you touch the number one, five, or nine. Additionally, hitting 1 with your right thumb will obstruct more light than pushing 9 would “Dr. Bhasin, who worked on the project with his colleagues Mr. David Berend and Dr. Bernhard Jungk, reveals that they worked on it for a total of ten months.
The classification system was trained using data acquired from three persons, each of whom input a random set of 70 four-digit pin numbers on a phone. These numbers were used to train the algorithm. Additionally, it was recording the pertinent sensor responses at the same time.
The classification system, which utilizes a technique known as deep learning, was able to assign varying degrees of significance to each of the sensors, based on how sensitive each sensor was to the various numbers that were pushed. This helps reduce aspects that it determines to be of less importance, which in turn raises the percentage of successful PIN retrievals.
Despite the fact that each person enters the security PIN on their phone in a manner that is unique to them, the researchers demonstrated that over time, success rates increased as the algorithm was given data from an increasing number of users.
Therefore, even while a malicious app would not be able to properly guess a PIN right away after installation, it might utilize machine learning to gather data over time from thousands of users’ phones to learn their PIN input pattern and then launch an attack later when the success rate is considerably greater.
According to Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, this study demonstrates how devices with seemingly strong security can be attacked using a side-channel. Professor Gan Chee Lip explained that sensor data could be diverted by malicious applications to spy on user behavior and help access PIN and password information, as well as other sensitive information.
“In addition to the risk of passwords falling into the wrong hands, our primary fear is that access to the information stored on a user’s phone sensors might expose much too much about the user’s behavior. This has enormous consequences for privacy, and businesses and people alike should give it the urgent attention it requires “added Prof Gan.
According to Dr. Bhasin, it would be beneficial for mobile operating systems to limit access to these six sensors in the future. This would allow users to actively select to provide rights to only reliable applications that have a need for them.
Dr. Bhasin recommends that users of mobile devices have PINs that include more than four digits, in addition to other authentication techniques such as one-time passwords, two-factor authentications, and fingerprint or face recognition. This will help users keep their mobile devices safe.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
