Hackers and hacks

Hackers can crack PIN codes by using the smartphone’s motion sensors

The researchers from Newcastle University have discovered that hackers can use the smartphone motion sensors to infer security PINs.

A regular smartphone has a lot of sensors, including: GPS, camera, microphone, fingerprint reader, accelerometer, gyroscope, light sensors, magnetometers, barometers, proximity sensors, thermometers and air humidity sensors, so a malicious software or website can collect a lot of personal data by reading the output of these sensors.

In this case, the motion and rotation sensors could be used to reveal touch actions, permitting skilled hackers to bypass PIN security.

The researchers used 10 smartphone users and asked them to enter 50 four-digit PINS five times on each website. In the first attempt, the network guessed 70% of the correct PINS, while in the fifth try they bypassed the PINs with 100% success rate.

The math tells us that there are 10.000 combinations that can be set with four-digit PINs, so there are 2% chances of guessing the PIN from the first attempt.

This being said, a hacker that installed a rogue app on the smartphone or lured the user to an infected website that runs JavaScript malicious code in the tab where the PIN is inserted. Many PIN codes are made of common sequences like 1234, 0000, 1000 or birth dates, so they can be bypassed by guessing.

The way the users holds the phone, scrolls and taps on it generates data that can used to crack PINs.

A security measure would be to add permissions on sensor actions, so that the users can manually deny infected apps or sites to use those sensors. It is a good habit to change the PINs regularly and study application permissions before installations.

For more information, see this post on one of the Sophos websites.

Hackers can crack PIN codes by using the smartphone's motion sensors