The alert about mobile sensors in mobile phones comes from Newcastle University, U.K. the primary concern, the researchers report, is that hackers, using downloaded software, can decipher personal identification numbers (PINs) and passwords simply from the way people tilt their phones when they type in such information.
The researchers found through the investigation that simply by studying the tilting motion of a device it was possible to break a four-digit PINs with an accuracy of 70 percent (based on the first attempt, reaching 100 percent accuracy by the fifth attempt). The attempts are based on information collated via a smartphone’s internal sensors. A standard smartphone has 25 different internal sensors. Sensors are used for playing various mobile games and for using fitness apps, where the user clicks, scrolls, holds, tilts and taps the device. The more often this is done the more data becomes available (a little like putting together a jigsaw puzzle).
The news about the level of vulnerability will come as a surprise to many. It doesn’t come as surprise to mobile device manufacturers, however. According to Dr Maryam Mehrnezhad device manufacturers are aware of the problem (partly it is a problem between increasing usability of the device and maintaining security). The researcher writes: “Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors.”
The problem is, he explains: “because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information.”
The malicious codes are surprisingly easy to install without the device user being aware. Sometimes this can simply be through opening a webpage on a smartphone. Some types of software are able to collect data even when a device is switched off.
As to what can be done to help promote security, the researchers recommend that device users:
Change their PINs and passwords regularly. This prevents malicious websites form recognizing patterns.
Closing down background apps when they are not in use and uninstalling apps that are no longer needed.
Keeping the device operating system and apps up to date.
Only installing applications purchased from approved app stores.
Auditing the permissions that apps have on the device.
Scrutinizing the permission requested by apps before they are installed them.
Looking for alternative apps that come from more reputable developers.
The next wave of research will consider further risks posed by personal fitness trackers. There is a concern here about how online profiles can be used to interpret the motions involved in general physical activities when health apps are being used.
The research is published in the International Journal of Information Security. The research paper is titled “Stealing PINs via mobile sensors: actual risk versus user perception.”
