How hackers steal passwords via smartphone sensors?
But due to the boom in mobile gaming and health and fitness apps over the last few years, the mobile operating systems do not restrict installed apps from accessing data from the plethora of motion sensors like accelerometer, gyroscope, NFC, motion and proximity.
Any malicious app can then use these data for nefarious purposes. The same is also true for malformed websites.
“Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer,” Dr. Maryam Mehrnezhad, the paper’s lead researcher, said describing the research.
“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”
Researchers have demonstrated an attack that recorded data from around 25 sensors in a smartphone. They have also provided a video demonstration of their attack, showing how their malicious script is collecting sensor data from an iOS device.
Here’s the demonstration of attack
Once this is done, whatever the victim types on his/her device while the malicious app or website running in the background of his phone, the malicious script will continue to access data from various sensors and record information needed to guess the PIN or passwords and then send it to an attacker’s server.
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy based on the data logged from 50 devices by using data collected from just motion and orientation sensors, which do not require any special permission to access.
The researchers were even able to use the collected data to determine where users were tapping and scrolling, what they were typing on a mobile web page and what part of the page they were clicking on.
Researchers said their research was nothing but to raise awareness to those several sensors in a smartphone which apps can access without any permission, and for which vendors have not yet included any restrictions in their standard built-in permissions model.
“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding,” Mehrnezhad said. “So people were far more concerned about the camera and GPS than they were about the silent sensors.”
Mehrnezhad says the team had alerted leading browser providers such as Google and Apple of the risks, and while some, including Mozilla and Safari, have partially fixed the issue, the team is still working with the industry to find an ideal solution.
More technical details can be found in the full research paper, titled “Stealing PINs via mobile sensors: actual risk versus user perception,” published Tuesday in the International Journal of Information Security.
To be on the safe side, disable all the unnecessary sensors to avoid hackers steal passwords via smartphone sensors.
Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.