SINGAPORE - The small, subtle ways you tilt your phone while keying in your personal identification number (PIN) to unlock it can actually be tracked and used by hackers to gain access to your phone - all without you realising it.
Cryptographic engineering researchers from the Nanyang Technological University (NTU) have developed proof-of-concept software to access data from common phone sensors that track the phone's motion and orientation, which can then be reverse-engineered to guess the user's PIN.
They were able to do this based on a loophole in Android phones which lets apps access phone sensors such as the accelerometer (measuring speed), gyroscope (orientation), proximity (presence of nearby objects), barometer (pressure) and ambient light, without requiring the user to give permission to access them.
This means hackers can write malicious apps that take advantage of this loophole to log sensor data secretly without the user's knowledge. That app can then transmit the raw data to the hackers.
"So if some app tries to spy on this data and then secretly transfers it to a server, any person can analyse that data," said Dr Shivam Bhasin, a senior research scientist from Temasek Laboratories at NTU who led the research.
A phone's orientation shifts slightly, but noticeably, when a user reaches over to press the '1' key compared to, say, the '8' key. These movements and slight tilts of the phone can be picked up by the phone's accelerometer and gyroscope.
The software also uses other sensors to make more accurate guesses. "When I press the '1' key, my finger covers more of the screen than if I'm pressing the '9' key - which can be detected using the ambient light sensor," said Dr Bhasin.
Along with two colleagues from the physical analysis and cryptographic engineering group, Dr Bhasin combined the raw data from all these different sensors and ran it through machine learning software which matches the phone's motions to which number the user is hitting on the keypad, allowing them to obtain the PIN.
They had a near-perfect success rate for the top 50 popular PINs (such as 1234, 2580 or 4321) , with correct hits 99.5 per cent of the time, and an overall 75 per cent success rate for guessing the correct PIN out of the 10,000 possible permutations of four-digit PINs.
The security implications of such software go beyond unlocking a phone. "PINs aren't just used as a phone lock, but also in, for example, banking apps. So all these activities are compromised," said Dr Bhasin.
The team started work developing this software in March. Dr Bhasin said the results will be made public at the end of November, and presented at cybersecurity conferences next year.
Mr Nick FitzGerald, a senior research fellow at security software maker ESET, said that since so many apps depend on a phone's sensors, highlighting them all might bombard users with too much information and confuse them.
"It's arguably a feature, rather than a vulnerability," he said. "Adding specific permissions for 'requires gyroscope' or 'requires accelerometer' is as impractical as adding 'requires keyboard' and 'requires display' permissions."
Instead, users should be smart about the apps they download, as the main mode of attack is getting them to install malware on their phones. "Don't install apps from questionable sources, and don't install apps with poor, or heavily mixed, reviews," he added.