Mobile phone motion sensors can be used to crack your PIN

A new study has revealed just how easy it is for hackers to use the sensors in mobile devices to crack four-digit PINs and to access a wide variety of other information about users.

Cyber-security experts from Newcastle University in the U.K. found that once a mobile user visits a website, code embedded on the page could then use the phone's motion and orientation sensors to correctly guess the users' PIN. This worked on the first attempt 75 per cent of the time, and by the third try 94 per cent of the time.

The study, published in the International Journal of Information Security this week, also found that most people have little idea of what the sensors in our phones can do and the security vulnerabilities they pose.

The researchers identified 25 different sensors that are now standard on most phones. Yet websites and apps only ask for permission to use a small fraction of these — GPS and camera, for example.

Downside of fitness tracking

"A lot of these sensors came to help people have a better experience when they work with these devices, and they bring a lot of advantages to our lives," said Maryan Mehrnezhad, a research fellow in Newcastle's school of computing science and lead author of the paper.

Examples of these include the accelerometer and gyroscope sensors that enable the fitness-tracking apps so popular with cellphone users.

Yet the sensor technology is well ahead of any regulatory restrictions pertaining to our privacy, said Mehrnezhad in an interview with CBC News.

She and her colleagues mimicked what's known as a "side channel attack" on Android mobile phones using a website embedded with JavaScript code.

The results show that the attack site could learn details such as the timing of phone calls, whether the user is working, sitting or running, as well as any touch activity, including PINs, she said.

Underestimating risk

The second part of the study evaluated people's understanding of these risks.

Interviews with around 100 mobile users found that most people are not aware of the sensors on their mobile devices, said Mehrnezhad, and that there is "significant disparity" between the actual risk and perceived risk of having a compromised PIN.

• OPINION: Being addicted to technology is not the same as being tech literate

In fact, as the sensors were being developed, even the phone manufacturers didn't have a clear understanding of the risks associated with them, said Urs Hengartner, an associate professor in computer science at the University of Waterloo.

"Everybody thought that accelerometer data and gyroscope data is not sensitive, so there's no need to ask for permission. Now research shows that it is an issue," said Hengartner in an interview with CBC News.

"These are security researchers that figured this out, and so nobody else seems to have known, not the browser vendors, not the operating system vendors and definitely not the general public."

Solving the problem is "a big research challenge," he said, in part because users may not understand the implications of what they're being asked by an app or website and may simply default to saying yes.

Decision fatigue

Research has shown that when people get tired of being asked for permission, they default to saying yes so they can access the website they want to visit or use the app they need, said Hengartner. 

Some browsers have begun asking for permissions for things like location data, but there is no uniform standard for doing so, he said.

• ANALYSIS: WikiLeaks CIA documents raise hacking fears — should we worry about our devices?

As study author Mehrnezhad notes, tech companies also don't want to sacrifice the convenience and functionality we've come to expect of our mobile devices.

"It's a battle between security and privacy on one hand and usability issues on the other hand," she said — and it's only going to get more important.

"Sensors are going to be everywhere. The problem will get more serious when smart kitchens, smart homes and smart cities are connected via the internet of things," she said.

Preventive measures

It sounds obvious, but the first step users should take to protect themselves is to choose more complex passcodes. Previous research has found that 27 per cent of all possible four-digit PINs belong to a set of 20 that include dead-easy combinations such as "1111" or "1234," said Mehrnezhad.

"I know people hate it because it's not convenient," she said, but it's also critical to change your passwords regularly.

In addition, keep your operating systems up to date, only download apps from trusted sources like Google Play or the App Store, delete apps you're not using, and close both apps and browser tabs when you're done using them, she said.