Normally we do everything to keep our smartphones intact: the device is put into a case, the screen is reinforced with a transparent film, and it might even be kept separately in a bag while out and about. We also take countermeasures to protect all the data saved to the phone’s storage too, by locking it with a pattern, a PIN code, a password or our fingerprint.
But according to Murphy’s law if something can go wrong, it’ll go wrong: plastic films won’t protect the screen from breaking, and PIN codes may not be as secure as you may think. Especially if an experimental app like the one developed by Singapore’s Nanyang Technical University (NTU) could simply unlock the smartphone by relying on the device’s sensors.
Betrayed by the Sensors
In order for the smartphone to be… well, smart, the device is equipped with many sensors like a gyroscope, an accelerometer, a barometer or a magnetometer. These can detect various things from orientation, altitude, external light conditions, and the physical proximity to the human ear in order to lock the screen when calling someone.
So how do PIN codes come into this? According to Dr Shivam Bhasin, a senior research scientist at the NTU, this is because “when you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9”.
Using this knowledge Dr Bhasin and his team of researchers created an Android app that collected data from six of the smartphone’s sensors, which was then fed into an algorithm that also recorded the relevant sensor recordings.
Soon the algorithm was capable of giving different weightings of importance to each of the sensors, and this information was enough for the researchers to break into phones with a whopping 99.5% accuracy within three tries.
This means that if an app working on the same principle as the one created by the NTU’s researchers were to be released, over time it would be able to learn PIN codes – or even passwords – just by simply tracking users’ data entry pattern.
Sensor Data: No Permission Granted
Aside from creating this monstrosity of an app, the study has proved the danger that comes with the smartphone’s physical sensors are extremely vulnerable to hacker attacks, since they inadvertently provide access to apps without requiring permission from the user. In simpler words, by spying on sensor data, a malicious application could easily give away the most valuable of information, such as PIN codes and passwords.
According to Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, the solution is pretty simple: the phone’s OS should never give apps permission to access information from the phone’s sensors by default. Instead, it should be the users who choose whether they wish to permit the app to access sensor data.
A Valuable Moral for Password Managers
This study clearly shows that even the most trusted authentication methods like the PIN code can be compromised and it’s up to users and developers to prevent sensitive data from being stolen. Thankfully, the best password management solution providers have already realized this, and as a matter of fact most of the password managers that we have tested use Google Authenticator, an app that generates a random set of six-digit numbers that expire after a minute, therefore preventing malicious apps from ever guessing what the code is.
Still, password management apps for smartphones do provide the option to replace the default master password with a simpler four-digit PIN code. But now we’ve seen what the NTU’s app is capable of, it’s better to be safe than sorry and either switch to biometric authentication or stick to typing in the good old master password.
Best Password Managers of 2019
|Editor's Choice 2019|