Hackers Can Crack Your Smartphone PIN Using Its Motion Sensors, Say Researchers

Features that can count your steps or identify when you tilt the screen can compromise your security

Hackers Can Crack Your Smartphone PIN Using Its Motion Sensors, Say Researchers
Image: Pixabay
May 1, 2017

A new study published in The International Journal of Information Security claims that hackers can use your smartphone's motion detectors to crack its PIN.

Today's smartphone is chock-full of all kinds of sensors that allow the device to perform tasks like counting your steps or figuring out when you've tilted the screen. But researchers say that these features can also compromise your security.

"These sensors can provide us — or hackers — with much more than people would think," says Maryam Mehrnezhad, lead author of the report and research fellow in the School of Computing Science at Newcastle University.

Most mobile apps and websites have to ask your permission in order to access your device's sensors, like the camera and microphone. However, says Mehrnezhad, the standard smartphone now includes more than 24 sensors that do not all have the same level of security.

In the study, she and the other researchers inserted harmful code into a webpage in order to hack smartphone motion and orientation sensors. When study volunteers opened the page on their phones, the researchers' program spied on the devices' sensors, recording information about users' movements of the touchscreens. This movement included entering their four-digit PINs.

The researchers then used a machine learning algorithm to analyze the data and figure out the PINs. The algorithm was able to identify the PINs with greater than 70 percent accuracy on the very first try.

"And it goes up to 100 percent in the fifth try," says Mehrnezhad.

PINs are not the only information that sensors could give hackers. "People know about all of these fitness trackers, if you're sitting, walking, running and all those other physical activities," she noted.

The easiest way to fix this problem would be for mobile apps and websites to have to ask permission to access any sensor in a smartphone. This is unlikely, however, because today's phones simply have too many sensors, says Mehrnezhad.

"It could be very unusable for the users to get notification for each single use, every time that they open a web application or when they install an app," she says. "So it's a battle between security and usability, really."

The researchers are collaborating with the industry to develop security patches. In the meantime, Mehrnezhad recommends that users take basic precautions to keep their information private. Change your passwords and PINs often, for example, and close apps and browser windows when you aren't using them.

"You can also uninstall the apps that you no longer need," she notes. "Also, keeping updated your operating system would help all the time, and installing applications from approved app stores would help out as well."