Phone accelerometers can give away your password

[VVoltor]

Researchers at Newcastle University have been able to guess 4-digit pin codes with amazing accuracy, just by analysing the data from rotation sensors, gyroscopes, and accelerometers. Unlike you camera and GPS for instance, mobile apps and websites don't need to ask permission to access this information.

Quote

Using data collected by mobile device’s hardware tracking systems, the team was able to crack four digit PINs with 70-percent accuracy on the first try, with 100-percent accuracy by try number five.

[...]

Dr Mehrnezhad said: "On some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open [another one], then they can spy on every personal detail you enter.

"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

 

Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said may not be such a big deal because:

Quote

...the researchers required a lot of data from users: each had to type 50 known pin numbers in, five times over, before it learned enough about how they hold their phones to guess a hidden pin with 70% accuracy.

But with no uniform way of managing sensors across the industry, when research such as Mehrnezhad’s shows flaws, it can be difficult for manufacturers to give a coordinated response.

A malicious app running in the background can record as much data as it wants, and there are indeed a lot of different phones with different sensors out there, but I assume targeting the most used devices like the iPhone 6/7 and Samsung Galaxies would yield a pretty good result. Not to mention the accuracy improvements that can be made by combining the data from thousands of users, as well as being able to enter passwords multiple times so 100% accuracy wouldn't even be necessary.

 

Quote

And while major players are aware of the problem, actually addressing it could prove easier said than done.

 

“All mobile platforms[…] are aware of this problem,” she says. “We reported it to them, and ever since we’ve been in touch with them, we’ve been trying to fix this problem together. It’s still ongoing research on both sides. But we’re in contact with these communities to figure out the best solution.”

I don't see why websites would ever need to have access to this data, especially without asking permission. Anyone?

 

With malicious apps it might be a bigger concern. I don't think most people even think about whether an app really needs to be granted certain permissions, so even adding a checkbox on first launch of an app to confirm it can use these sensors wouldn't have much effect I guess.

 

 

 

Sources:

https://techcrunch.com/2017/04/10/pin-gathering-mobile/

http://www.techradar.com/news/scientists-find-a-way-to-crack-your-phones-password-using-just-the-accelerometer

https://www.theguardian.com/technology/2017/apr/11/tilted-device-could-pinpoint-pin-number-for-hackers-study-claims

 

[tlink]

this is why i have a password not a 4 digit code.

[Zando_]

6 digit code for me. I've got Touch ID, so I don't have to actually type it in that much. 

33 minutes ago, VVoltor said:

 

I don't see why websites would ever need to have access to this data, especially without asking permission. Anyone?

Agree! What do they need that info for?

[VVoltor]

3 minutes ago, tlink said:

this is why i have a password not a 4 digit code.

True, that might be the safest option. However, the majority of people probably opt for simplicity over security.

 

And my banking app for instance, only asks for a 5 digit code.... No way to put a password there. 

 

Also, this is just a test done at this university. I have a feeling the accuracy could be improved by collecting a lot more data, especially when people use words and common numbers like dates in their passwords. It would be easy to figure out most peoples passwords with only like 60% accuracy.

[tlink]

1 minute ago, VVoltor said:

True, that might be the safest option. However, the majority of people probably opt for simplicity over security.

 

And my banking app for instance, only asks for a 5 digit code.... No way to put a password there. 

 

Also, this is just a test done at this university. I have a feeling the accuracy could be improved by collecting a lot more data, especially when people use words and common numbers like dates in their passwords. It would be easy to figure out most peoples passwords with only like 60% accuracy.

yea banks should really strengthen their phone apps with a rolling code generator or for example by scanning the nfc chip in your card. (or both would be ideal)

[Bensemus]

Seems like just adding permissions to those sensors would solve the issue. Normal websites don't need accelerometer to function so hardly anything would be negatively impacted.

 

That is pretty cool that they were able to guess the codes just off that data though.

[vorticalbox]

3 hours ago, tlink said:

this is why i have a password not a 4 digit code.

wouldn't matter they way you move your hands when you type will give it away regardless of length.

 

3 hours ago, tlink said:

yea banks should really strengthen their phone apps with a rolling code generator or for example by scanning the nfc chip in your card. (or both would be ideal)

 my bank has a password and then a pass code 6+ length which it randomly askes for 3 of them. You under them with drop down lists so no typing. 

[tlink]

1 hour ago, vorticalbox said:

wouldn't matter they way you move your hands when you type will give it away regardless of length.

 

 my bank has a password and then a pass code 6+ length which it randomly askes for 3 of them. You under them with drop down lists so no typing. 

it's not the length, its the full size keyboard that makes the difference and im using a custom keyboard that has a very small market.

[Stefan1024]

3 hours ago, Bensemus said:

Seems like just adding permissions to those sensors would solve the issue. Normal websites don't need accelerometer to function so hardly anything would be negatively impacted.

 

That is pretty cool that they were able to guess the codes just off that data though.

The data can be used fore navigation when the GPS signal is bad or disturbed.

There are quite a lot of websits needing such data. Even youtube needs it for the 360 degree videos.

 

Also about a year ago I saw a research to log your (desktop) keyboard strokes when your phone lay next to to. Surly it works even better when you directly track the phone with a much better mechanical connection.

 

[Mira Yurizaki]

3 minutes ago, Stefan1024 said:

The data can be used fore navigation when the GPS signal is bad or disturbed.

There are quite a lot of websits needing such data. Even youtube needs it for the 360 degree videos.

 

Also about a year ago I saw a research to log your (desktop) keyboard strokes when your phone lay next to to. Surly it works even better when you directly track the phone with a much better mechanical connection.

 

Still, the principle of least privilege applies. If the website needs it, it should ask for it.

[Castdeath97]

Yay my university got mentioned in LTT!

 

Back to topic, good thing we have text passwords and finger print readers then.

[SansVarnic]

Windows Hello for my phone hahaha. Iris detection FTW.

[SpaceGhostC2C]

8 hours ago, VVoltor said:

 Unlike you camera and GPS for instance, mobile apps and websites don't need to ask permission to access this information.

 

4 hours ago, Bensemus said:

Seems like just adding permissions to those sensors would solve the issue. Normal websites don't need accelerometer to function so hardly anything would be negatively impacted.

Yes, fortunately it has a very simple solution (that, frankly, shouldn't even be necessary)

1 hour ago, Stefan1024 said:

The data can be used fore navigation when the GPS signal is bad or disturbed.

There are quite a lot of websits needing such data. Even youtube needs it for the 360 degree videos.

1 hour ago, M.Yurizaki said:

Still, the principle of least privilege applies. If the website needs it, it should ask for it.

Yes, the question isn't so much why could it potentially be useful, as why would it be given by default (or even not possible not to give)

6 minutes ago, SansVarnic said:

Windows Hello for my phone hahaha. Iris detection FTW.

NSA & co. agrees (iris or fingerprint, all the same to them as long as they can physically force you to unlock it). And of course anyone with physical, or even picture access to you.

[Kobathor]

8 hours ago, tlink said:

this is why i have a password not a 4 digit code.

My phone only lets me use a 4-digit PIN if I want to use my fingerprint sensor. I wish I could use a regular password..

[SansVarnic]

1 minute ago, SpaceGhostC2C said:

<snip>

NSA & co. agrees (iris or fingerprint, all the same to them as long as they can physically force you to unlock it). And of course anyone with physical, or even picture access to you.

All well and dandy I suppose, I don't do social media [well I suppose LTT Forums kinda counts] so good luck on getting photo access to me.

But yeah I get what your saying.

[Doobeedoo]

Pft, just use swipe nothing to hack. Hah!

[Bensemus]

10 hours ago, Stefan1024 said:

Snip

I'm not saying no websites need access. I'm saying the number that do are a tiny percent compaired to those that don't. There is no reason to not put the sensors behind permissions as that won't hurt valid use cases and can protect against stuff like this.

[tlink]

11 hours ago, Kobathor said:

My phone only lets me use a 4-digit PIN if I want to use my fingerprint sensor. I wish I could use a regular password..

huh weird, are you using android? if you are than they would have to remove a feature to achieve that which seems really weird to do to me  

[Trixanity]

3 hours ago, Bensemus said:

I'm not saying no websites need access. I'm saying the number that do are a tiny percent compaired to those that don't. There is no reason to not put the sensors behind permissions as that won't hurt valid use cases and can protect against stuff like this.

Indeed. Websites already need to ask permission to get your location and to be able to send you notifications. So instead of all websites having access to sensor data by default they merely need to ask (which should be the industry standard). It breaks nothing. Developers still have the tools available but it's more secure for end users and developers with malicious intent don't have free reign anymore.

 

Imagine if websites had permission to get your location and send you notifications by default. Sounds like a nightmare.

 

While they're fixing this, they should also remove websites abilities to trigger vibrations (and hijack your browser with dialogue boxes) without permission.

[captain_to_fire]

Password and Touch ID for me so... 

 

I wish Apple would allow an option for both Touch ID and passcode/password for logging in for better security. 

[Stefan1024]

20 hours ago, M.Yurizaki said:

Still, the principle of least privilege applies. If the website needs it, it should ask for it.

 

18 hours ago, SpaceGhostC2C said:

 

Yes, fortunately it has a very simple solution (that, frankly, shouldn't even be necessary)

Yes, the question isn't so much why could it potentially be useful, as why would it be given by default (or even not possible not to give)

NSA & co. agrees (iris or fingerprint, all the same to them as long as they can physically force you to unlock it). And of course anyone with physical, or even picture access to you.

 

10 hours ago, Bensemus said:

I'm not saying no websites need access. I'm saying the number that do are a tiny percent compaired to those that don't. There is no reason to not put the sensors behind permissions as that won't hurt valid use cases and can protect against stuff like this.

While I agree the OS should have an access managemant for every input / sensor it is not good to request too many permissions from the user.

If you ask a "normal" user (you are probably a power user) to often for a permission they will just give it without reading. And then they also miss the very important once.

[Mira Yurizaki]

7 minutes ago, Stefan1024 said:

While I agree the OS should have an access managemant for every input / sensor it is not good to request too many permissions from the user.

If you ask a "normal" user (you are probably a power user) to often for a permission they will just give it without reading. And then they also miss the very important once.

This is a problem of balancing security with convenience. You can't have both.

 

But at least as a developer, you can say "Well you gave permission for the thing to do that" and be absolved of blame.

[Bensemus]

4 hours ago, Stefan1024 said:

While I agree the OS should have an access managemant for every input / sensor it is not good to request too many permissions from the user.

If you ask a "normal" user (you are probably a power user) to often for a permission they will just give it without reading. And then they also miss the very important once.

That is a challenge. In this case this does seem to be a more serious one as passwords can be stolen through it. 

[SpaceGhostC2C]

5 hours ago, Stefan1024 said:

 

 

While I agree the OS should have an access managemant for every input / sensor it is not good to request too many permissions from the user.

If you ask a "normal" user (you are probably a power user) to often for a permission they will just give it without reading. And then they also miss the very important once.

It might be, but that's not worse than not even asking - at worst it's equivalent  

[laminutederire]

On Tuesday, April 11, 2017 at 3:30 PM, VVoltor said:

True, that might be the safest option. However, the majority of people probably opt for simplicity over security.

 

And my banking app for instance, only asks for a 5 digit code.... No way to put a password there. 

 

Also, this is just a test done at this university. I have a feeling the accuracy could be improved by collecting a lot more data, especially when people use words and common numbers like dates in their passwords. It would be easy to figure out most peoples passwords with only like 60% accuracy.

Banking apps randomize the layout of keys to press so that makes that approach impractical !

That could be useful for passwords for social media and so on, but that accuracy you guess might be overestimated due to a lot of variations. Whether you have a huge phone or not, which keyboard layout you have (actually being french might fuck part of their system up since we have azerty keyboard and not qwerty). You have to take into account how people take their phones (one hand or two), if they are left handed or not, and so on. That creates a lot of variety which could help fool their algorithm.