Scientists Prove Your Phone's PIN Can Be Stolen Using Its Gyroscope Data

A team of scientists at Newcastle University in the UK managed to reveal a user's phone PIN code using its gyroscope data. "In one test, the team cracked a passcode with 70 percent accuracy," reports Digital Trends. "By the fifth attempt, the accuracy had gone up to 100 percent." From the report: It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers' algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device's sensors without requesting permission. The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number -- such as the camera and GPS -- ask the user's permission before granting access to that data. It's precise enough to track behavior. Using an "orientation" and "emotion trace" data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing. The paper has been published in International Journal of Information Security.

Re:

[marcgvky]

1. write iphone app 2. record sensor data 3. sell PINs 4. profit!

Why did his statement get voted down? I think it's insightful satire.

As a firefighter, we are taught "Forcible Entry", because we may show up to a burning house and the homeowner may be able to answer the door. The first words out of the instructors mouth, Day 1, "locks keep honest people honest." Simple and profound.

Seems like the front door to your house and the front door to your phone are only as safe, as the moral society in which you live allows.

Re:

[marcgvky]

.... show up to a burning house and the homeowner may be able to answer the door.....

Ehem, may NOT be able to answer the door. LOL Too early for posting... need coffee.

It was a inside job!

[LesFerg]

So they are saying that if a malicious compromising app is already installed and running on your phone, then your phone could be compromised?
Were they on salary while determining this?

Escalation

[dbIII]

Escalation of access is still an issue.
Personally I see the moral of the story as being the old one that security is weakened if you have to use the access method very frequently. That's one of the reasons why alarm systems often have a different code for each user instead of ending up with four numbers almost worn off the keypad after a few years.
How many days would elapse before the user had entered their PIN fifty times in their phone? I don't think it would be a very long time and the malware can wait

Re:

[110010001000]

The only problem is the system needed to be trained by having the user enter 50 known PINs five times. And assumed the user held the phone the same way every time. Those silly scientists.

Re:

[LesFerg]

Since the digital keypad on phones is a graphic display, why not simply have the keypad randomly rotated, so the patterns keep changing?
Even better than rotating, scramble the number positions.
All this talk of seeing somebody typing in a PIN from a distance, recording the phone movement etc just make me wonder.

Re:

[jaminJay]

The nineties called: they want their internet banking login Java applets back.

Re:

[currently_awake]

Number layout randomization is used on military keypads to prevent someone shoulder surfing to get access codes. It would also prevent IR or fingerprint scans to get your code.

Re:

[dbIII]

No. If the malware is on the thing long enough the user will be holding the phone the same way enough times.
Stack up enough similar data and the uncommon stuff becomes trivial noise.

Re:

[msauve]

Yep. If your (name of computing device here) is compromised,your (name of computing device here) is compromised.

Maybe they'll get a Nobel prize, just like Obama.

Re:

[Askmum]

When a malicious app can have access to the gyroscope, why can't it read out the pressure of the screen? I don't even think there is a seperate access restriction for that because every app is controlled by the screen.

Re:

[AC-x]

I'm pretty sure mobile OS' don't allow user level apps to read touch positions from things like the lockscreen.

Re:

[religionofpeas]

With a similar argument: what is an app actually going to accomplish once it has the unlock code ?

Re:

[Joce640k]

Create a dark database so that stolen phones are suddenly valuable again?

It's almost as if you have no imagination.

Re:

[religionofpeas]

30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

Re:

[EvilSS]

30% of phone owners don't use a password anyway, and most people who find/steal a phone don't have access to this dark database, plus you need to convince people to install the malicious app. All in all, a very small risk.

Got a reference for that statistic?

Re:

[Cajun Hell]

A reference for a related statistic [slashdot.org] (though the numbers are different).

Re:

[EvilSS]

How was that supposed to be in any way useful?

Re:

[AC-x]

I imagine it would be useful to state actors; Build up a database of pin codes then if you snatch a phone in a raid / at the border if it's part of your drag net you can unlock it without all the fuss like the San Bernardino iPhone caused.

Re:

[Cyryathorn]

I imagine the "malicious app" might be a pinball game that you gave gyro permissions to, and/or a puzzle-sliding mini game that lays out on the screen in a manner suspiciously similar to the lock screen. After that it would need to be able to look up historical gyro data.

The article doesn't provide enough detail, so I'm just speculating. But I would imagine it might just take a little bit of cleverness to trojan this into a real world scenario.

Of course it should be an inside job...

[Richard Kirk]

This is an entirely sensible thing to do. You might have a game that uses the gyroscope. Embedded within that game there might be a rogue application that also uses the gyroscope data to measure the tilt as a result of using the keyboard, and report that along with your high score, or whatever to some game sever. If you have some security mode so when you are entering a password, it disables keyboard sharing, screen grabs, the camera (looking for reflections in you glasses) and the microphone (in case you

Re:

[theguyfromsaturn]

In other news, they seem to imply that nothing can currently be done against this very specific threat... however, if you set the numerical password entry to be with randomized number location, it seems to me that the gyro is not very useful, as it will provide random data. This feature has been around for a while, and is good against the good ol' eyeball mark 1 infiltration app too (unless the observer is so far over your shoulder that they can directly observe the numbers, obviously).

Scientists

[110010001000]

In 2017 everyone is a scientist. Even APK.

Old tech ...

[Misagon]

Long before touch-screens with capacitative sensing became commonplace there were some touch-screens systems that used a gyroscope as its sensor to sense how much the screen rocked when a user touched it.
It was very crude and inaccurate compared to other approaches but it could be mounted to most regular CRT computer monitors.

Unfortunately I have sold off my computer magazines from the early '90s so I can't look up the name of the manufacturer.

Re:

[110010001000]

Yeah, but these guys wrote an app.

Re:

[Askmum]

I would assume it would be very crude and inaccurate because a CRT monitor does not really move when you touch it. Was it a March issue of some computer magazine by any chance?

I kinda have to call bullshit on this

[Snotnose]

If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

You really wanna tell me my gyroscope is in the same position in all these scenarios?

Re:

[Snotnose]

You really think in all these scenarios relative movement will be the same?

HA HA HA HA

dumass

Re:

[subreality]

The gyroscope does not care what orientation it's in. The accelerometer does, but even then it's easy to subtract out 1G of orientation to isolate short transients.

Re:

[Eloking]

If I'm a researcher entering a PIN multiple times I'm in a chair hunched over the phone. Me? I'm in my La-Z-Boy. I'm on the toilet. I'm in bed. I'm in the kitchen cooking. I'm at a red light getting a message. I'm in the grocery store unlocking my shopping list.

You really wanna tell me my gyroscope is in the same position in all these scenarios?

From looking at the summary (TFA is not interesting enough to read), my guess is that they use the mouvement of the phone as you as entering your password. For instance, if you press the #9, your cellphone will slightly tilt to the upper left (compared to the other key). By comparison, the #4 will tilt slightly relatively at the same strength on the left side, but less on the upper side. So if you look at the gyro's data of the 4 digit, you can certainly make a pattern and have an idea of what if the passwo

Re:

[thegarbz]

You really wanna tell me my gyroscope is in the same position in all these scenarios?

It's called filtering and analysis. The starting position isn't at all important if it can be characterised.

Re:

[mark-t]

Pretty spiffy. Which cell phone?

Only load from safe sources

[chromaexcursion]

If you download from google store, every app has to ask permission.
this attack only works on those downloading from untrusted sources.

Re:

[Nemyst]

And what if the app masquerades as something with a perfectly valid reason to access the gyroscope, like a map app?

Iframe/JS attack possible too

[HxBro]

This could happen on any web page you happen to have visited and left open, in some cases the browser can be minimised and screen locked

https://link.springer.com/arti... [springer.com]

Simpler method

[religionofpeas]

Just make an app that occasionally shows a fake unlock screen, and just capture the touches.

PIN length?

[necro81]

I will assume that this research was conducted using 4-digit PINs, which are the default for iOS and Android. I wonder how their success rate would hold up against, say, a 5-digit PIN, or 8, or N?

I generally rely on a biometric sign in for my phone*, but fall back on the PIN code once or twice per week. It's a whole lot more than 4 digits.

* I know, biometrics have their own set of risks; different conversation [slashdot.org]

NO GYROSCOPE IN PHONES

[flargleblarg]

For fuck's sake! There are no goddamn gyroscopes in mobile devices. What's used are accelerometers, which are non-spinning. Gyroscopes spin.

Re:

[Wolfrider]

--Easy solution: OS Disable the accelerometer when prompting for a pass code.

PIN layout scrambling defeats this?

[Athanasius]

From the description the method is detecting which part of the screen you tap on. Thus if you use PIN keypad layout scrambling, such as in LineageOS they still won't know which digit you were tapping each time.

Good thing this does not apply

[Bartles]

Because phones don't have gyroscopes. They have accelerometers.