Sensor data in smartphones make them vulnerable to hacking: study

Unrestricted access to sensor data reveals ‘too much’ about user behaviour.

The password one uses to access a smartphone does not secure it from hackers, should they get hold of it. In fact, sensors existing in the phone — such as accelerometer, gyroscope and proximity sensors — themselves present a gateway to hackers, according to new research. Researchers at Nanyang Technological University, Singapore, led by Indian-origin Dr Shivam Bhasin, a senior research scientist, tested this using a combination of information gathered from six different sensors found in smartphones — accelerometer, gyroscope, magnetometer, proximity sensor, barometer, ambient light sensor — and state-of-the-art machine learning and deep learning algorithms.

They succeeded in unlocking Android smartphones with a 99.5% accuracy within only three tries, when tackling a phone that had one of the 50 most commonly used PIN numbers, according to a news post on the NTU Singapore website. The previous best phone-cracking success rate, the post adds, was 74% for the 50 most common PIN numbers, but NTU’s technique can be used to guess all 10,000 possible combinations of four-digit PINs.

The study has been published in Cryptology ePrint Archive. The researchers used sensors in a smartphone to model which number had been pressed by its users, based on how the phone was tilted, and how much light is blocked by the thumb or fingers. “When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” the post quotes Dr Bhasin, whose team on the 10-month project included David Berend and Bernhard Jungk.

The researchers believe their work highlights a significant flaw in smartphone security — using the sensors within the phones require no permissions to be given by the phone user and are openly available for all apps to access.

In the experiments, the classification algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone. At the same time, it recorded the relevant sensor reactions. Although each individual enters the security PIN on their phone differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates improved.

So while a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher.

The NTU web post quotes Professor Gan Chee Lip, director of the Temasek Laboratories at the university, as saying that the study shows how devices with seemingly strong security can be attacked using a side-channel, as sensor data could be diverted by malicious applications to spy on user behaviour and help to access PIN and password information, and more.

“Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour. This has significant privacy implications that both individuals and enterprises should pay urgent attention to,” says Prof Gan.

Dr Bhasin says it would be advisable for mobile operating systems to restrict access to these six sensors in future, so that users can actively choose to give permissions only to trusted apps that need them. To keep mobile devices secure, Dr Bhasin advises users to have PINs with more than four digits, coupled with other authentication methods like one-time passwords, two-factor authentications, and fingerprint or facial recognition.