For hackers, smartphones are a treasure trove of data, including emails, contacts, photos, passwords, valuable banking information, etc. Security experts have long warned that smartphones are due for a massive cyber-attack.
Most smartphone owners use PIN codes to secure their devices. But scientists have now found that a phone's own sensors can give away passwords/PINs to hackers, enabling them to unlock it.
Study highlights significant flaw in smartphone security
They used instruments in these handsets, including accelerometer, gyroscope, and proximity sensors, to "model" the digits entered by users based on the phone's tilt angle and light blocked by fingers.
Any on-device app can access these sensors without user's permission.
Researchers hacked phones with a 99.5% accuracy rate
The research team, using data from six sensors and machine learning algorithms, unlocked Android devices successfully with 99.5% accuracy in just three tries. They hacked phones that had one of the 50 most common PINs.
The previous best smartphone-cracking accuracy rate was 74% for the top 50 common PINs.
Using the NTU team's technique, all 10,000 possible four-digit PIN combinations can be guessed.
How did the researchers collect sensor data?
Using a custom application, researchers collected data from Android phones' accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.
Bhasin said devices are moved differently while pressing each digit. The amount of light blocked by the user's right thumb is different for each number.
They trained a classification algorithm with sensor data from three people, who entered 70 four-digit PINs on a phone.
Used state-of-the-art machine learning, deep learning algorithms: Researches
The custom application also recorded the sensor reactions at the time of entering the PIN.
Using deep learning, the classification algorithm gave different importance weightings of sensors on the basis of how sensitive each sensor was while different digits were being pressed.
This method helps in eliminating the "less important" factors. Feeding more data from different users to the algorithm increased the accuracy rate.
How to keep mobile devices safe?
NTU's Senior Research Scientist Shivam Bhasin advised that to keep smartphones secure, one should use PINs with more than four digits, "coupled with other authentication methods like one-time passwords, two-factor authentications, and fingerprint or facial recognition."
Malicious apps can collect sensor data and attack phones
Malicious apps may not guess PINs immediately after installation, but they can collect data and use machine learning to know PIN entry patterns.
Later, when their accuracy rate is high, they may attack the devices.
Even devices with "seemingly strong security" can be targeted using this way.
Malicious apps can divert sensor data to spy on user behavior or help to access PIN/password information.