It’s no secret that smartphone PIN codes are not perfect, but new research suggests they might be next to worthless. A team of scientists at Newcastle University in the U.K. was able to guess a user’s phone PIN code with nothing more than data from the device’s sensors.
In a paper published in International Journal of Information security, researchers demonstrated how a phone’s gyroscope — the sensor that tracks the rotation and orientation of your wrist — could be used to guess a four-digit PIN code with a high degree of accuracy. In one test, the team cracked a passcode with 70 percent accuracy. By the fifth attempt, the accuracy had gone up to 100 percent.
It takes a lot of data, to be sure. The Guardian notes users had to type 50 known PINs five times before the researchers’ algorithm learned how they held a phone when typing each particular number. But it highlights the danger of malicious apps that gain access to a device’s sensors without requesting permission.
“Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors,” Dr. Maryam Mehrnezhad, a research fellow in the Newcastle University School of Computing Science and lead author on the paper, said. “But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data.”
The risk extends beyond PIN codes. In total, the team identified 25 different smartphone sensors which could expose compromising user information. Worse still, only a small number — such as the camera and GPS — ask the user’s permission before granting access to that data.
It’s precise enough to track behavior. Using an “orientation” and “motion trace” data, the researchers were able to determine what part of a web page a user was clicking on and what they were typing.
“It’s a bit like doing a jigsaw — the more pieces you put together, the easier it is to see the picture,” Dr. Siamak Shahandashti, a senior research associate in the School of Computing Science and co-author on the study, said.
Mehrenzhad said the team reached out to leading browser providers to alert them of the issue and that Mozilla and Safari have implemented fixes. But she said that researchers are still working with the industry to find a better fix.
“We all clamor for the latest phone with the latest features and better user experience but because there is no uniform way of managing sensors across the industry, they pose a real threat to our personal security,” Mehrenzhad said. “It’s a battle between usability and security.”