The study was conducted at Newcastle University. Led by Dr Maryam Mehrnezhad, it found that the sensors inside modern devices contain a treasure trove of information that can easily be exploited by attackers. Components such as the gyroscope and accelerometer can be accessed by apps and websites without any special privileges being granted, enabling malware to listen in on the data.
Although it’s not immediately obvious, the patterns in the data presented by the sensors can be analysed to establish what’s on the display. The team found that people hold their phone in different ways depending on whether they’re tapping, scrolling or holding the device. By looking at the data supplied by the accelerometer and gyroscope, attackers could figure out the way in which the phone’s being used.
Mehrnezhad’s team created a proof-of-concept attack that shows how a specially designed webpage running on a phone could calculate the user’s PIN code. If the page was open as the user unlocked their phone, the site could use the accelerometer information to work out the tilt angle of the handset.
With the code aware of the phone’s relative angle at each keypress, it could determine the placement of the buttons being tapped. From there, the identity of each key could be ascertained, based on the standard layout used for PIN pads. In testing, 70% of PINs were cracked after one attempt. After five, they had all been identified.
According to Mehrnezhad, phone manufacturers and website creators are aware of the issue but aren’t sure how to tackle it. The sensor information is presented to websites so developers can build modern games and apps for web browsers. The team’s findings demonstrate the potential risks of giving browsers unhindered access to hardware but revoking the permissions could break existing apps.
The current solution for the issue sees websites provided with an infrequently updated data stream that’s around 3-5 times slower than native apps receive. It was assumed this reduced rate of data access was too inaccurate to enable attackers to use the information as demonstrated. The study proves this view to be incorrect and a new approach will now be required.
The team has contacted the W3C working group – the organisation that defines the standard features added to web browsers – and the major browser vendors. The W3C, Mozilla, Chrome, Opera and Safari have all acknowledged Mehrnezhad’s concerns and announced they’re considering reviews of how their apps present sensor data streams to background tabs. There’s no word yet on when changes will be implemented and it’s possible attackers are already evaluating the novel technique for real-world use.
