Turns out that those sensors in your smartphone that do all kinds of cool, magical things like give you directions, find your friends, let your Uber or Lyft driver find you, count the steps in your workout, let you know where traffic is bad and a host of other conveniences have a not-so-cool downside.
According to researchers from the Nanyang Technological University (NTU) in Singapore, malicious apps on your phone could use the datastream from those sensors to build up information on how the phone is used and ultimately guess the phone’s PIN.
The researchers’ algorithm was able to guess a PIN with a 99.5% accuracy on the first try using a list of the top 50 most common PINs, although the success rate went down to 83.7% when it tried to guess all 10,000 possible combinations of four-digit PINs within 20 tries.
There’s no barrier to collecting the data because those sensors are what’s known as “zero-permission” – essentially, an app doesn’t need a user’s consent to access data from them.
Which, on the surface, might not seem like much of a threat. The data collected by such sensors are labeled rather dismissively – at least for security purposes – as “non-critical.” Why should we care if an app has access to a device’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer or ambient light sensor?
They don’t store passwords, Social Security numbers, credit card numbers or other personally identifiable information (PII). They just measure things like whether you’re moving and how fast, where you are, what your altitude is and whether you’re looking at the phone or have it next to your ear.
But they are yet another example of how data from seemingly disparate and unrelated sources can be merged to provide information that is much more invasive than you thought. In this case, enough to guess your PIN and invade your phone, at which point your critical data is at risk.
The NTU researchers are not the first to demonstrate this – there are now multiple examples of how much those sensors can give away. A couple of weeks ago Naked Security reported on a team of researchers from Princeton who demonstrated that they could track the location of smartphone users even if they had their GPS (“location services”) turned off.
In April, researchers from the University of Newcastle in the UK published a paper in the International Journal of Information Security, in which they described a “JavaScript-based side channel attack” that allowed them to guess the PINs on Android devices.
In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86% and 94% in the second and third attempts, respectively.
The NTU researchers did even better (also attacking Android devices), combining data “leakage from a pool of zero-permission sensors to reconstruct a user’s secret PIN.”
By harvesting the power of machine learning algorithms, we show a practical attack on the full four-digit PIN space. Able to classify all 10,000 PIN combinations, results show up to 83.7% success within 20 tries in a single user setting. Latest previous work demonstrated 74% success on a reduced space of 50 chosen PINs, where we report 99.5% success with a single try in a similar setting.
The researchers also note the obvious – that since Android has 81.7% of the smartphone market, this amounts to a massive attack surface.
They acknowledge that the flaws of zero-permission sensors have been noted in at least a dozen other publications, but say defeating the PIN code is more complicated, “because the exploited movements are less pronounced and hence, harder to classify correctly.”
But the success of their research, along with expected improvements, is bad news for smartphone security – even for users who use more than four digits for a PIN.
The classification algorithms are able to easily weigh the importance of each sensor in PIN recovery and allow high recovery success. Since the methodology works on a single digit, it is scalable to PINs longer than 4-digits.
There have been some moves made toward at least partially closing the door. Bleeping Computer noted last April that both Mozilla and Apple updated the Firefox and Safari browsers in early 2016 to allow JavaScript access to motion and orientation sensors only to top-level documents and same origin iframes, but that such restrictions don’t apply yet with Google Chrome.
The much more fundamental fix, of course, has to involve the OS. There is more than enough research out there now to demonstrate that there should no longer be any such thing as a zero-permission sensor. As is regularly said, if the good guys are doing it, the bad guys are too.
At a minimum, every app should require an affirmative consent from users. Meanwhile, this and other research should serve as yet another warning that it’s asking for trouble to get your apps anywhere other than a reliable store that vets them for you. If you get fooled by a malicious one, it’s like inviting hackers through an open door.