Smartphone sensors can help reveal PIN codes

Security researchers have found that data captured by smartphone sensors could help criminals guess codes used to lock the gadgets.

By analyzing data gathered by accelerometers they were able to get a good idea of the PIN or pattern used to protect a phone.

The data was useable because sensors can gather information with more freedom than apps loaded on the device.

Researchers said several different smartphone sensors could be subverted.

Dr. Adam J. Aviv, a visiting professor at Swarthmore College in Pennsylvania, carried out the attacks by using data gathered by an accelerometer on a smartphone. Typically this sensor logs phone movements in three dimensions: side-to-side, forward-and-back and up-and-down.

The data gathered as the phone is moved is often used in games to steer or guide an onscreen entity such as a car or a ball.

Working with Matt Blaze, Benjamin Sapp and Jonathan Smith from the University of Pennsylvania, Dr. Adam J. Aviv realized that the data gathered by the accelerometer could also be used to work out where someone tapped on a screen when unlocking a gadget with a PIN or pattern.

In controlled tests, data from accelerometers was captured, exported and analyzed to see if it matched a bigger “dictionary” of taps and swipes that had been previously gathered.

“It worked surprisingly well,” said Dr. Adam J. Aviv of the attack. In tests, the software developed by the team got more accurate the more guesses it was allowed.

After five guesses it could spot PINs about 43% of the time and patterns about 73% of the time. However, said Dr. Adam J. Aviv, these results were produced when PINs and patterns were picked from a 50-strong set of numbers and shapes.

The PIN and pattern spotting system did less well when it was applied to data gathered when users were walking around with gadgets. Using a phone while on the move introduced lots more “noise”, said Dr. Adam J. Aviv which made it harder to pick out the unlock patterns.

However, he said, many security researchers were getting interested in the sensors that came as standard in smartphones largely because the data they gathered was not subject to the same controls that governs other phone functions.

“More sensors on smartphones equals a lot more data flowing through these devices, which means protecting them is even more critical,” said Kevin Mahaffey, chief technology officer at mobile security firm Lookout.

“One kink or hole in the system could lead to data being exposed and utilized,” he said.

“As the physical and digital worlds merge, and we become more reliant on the interconnections forged, we need to collaborate across them to ensure the integrity of data.”

Dr. Adam J. Aviv said that typically users did not have to give permission for a sensor to gather data even if the information it grabbed had nothing to do with the application they were using.

Other researchers had looked into ways to subvert data gathered by gyroscopes, accelerometers and other orientation sensors to work out passwords, said Dr Aviv. One group even analyzed smears on touchscreens to get clues about Pins and patterns.

“We are starting to realize that the way we interact with these devices affects the security of these devices,” he said.

“The fact that we hold them in our hands is different to the way we use traditional computers and that actually can leak information to sensors in the device.”