PIN Skimmer offers a new side channel attack against mobile devices
Researchers with the University of Cambridge revealed just how effective PIN Skimmers can be.
Unlike most cryptographic attacks – where hackers may use malicious software and take advantage of programming vulnerabilities – a side channel attack is a type of incursion that collects data using the physical properties of a device.
In the study, “PIN Skimmer: Inferring PINs Through The Camera and Microphone,” authors Laurent Simon and Ross Anderson explore how a mobile device's front camera and microphone can be used to determine four- and eight-digit passcodes – and with great efficacy too.
“The microphone is used to detect touch events, while the camera is used to estimate the smartphone's orientation and correlates it to the position of the digit tapped by the user,” according to the study. “The mobile application collects touch-event orientation patterns and later uses learnt patterns to infer PINs entered in a sensitive application.”
The researchers tested the malicious application and server components against Android-powered Nexus S and Galaxy S3 smartphones and discovered that, from a set of 50 four-digit passcodes, the PIN Skimmer could unlock a device 30 percent of the time after two guesses, and 50 percent of the time after five guesses.
From a set of 200 eight-digit passcodes, the PIN Skimmer unlocked the device 45 percent of the time after five attempts and 60 percent of the time after 10 attempts.
Despite the relatively high-percentage results in a fairly moderate number of attempts, the findings are not turning all heads.
“I am skeptical about the applicability,” Erik Bataller, a principal security consultant for mobile and cloud security company Neohapsis, told SCMagazine.com on Tuesday. “It just seems a bit cloak-and-dagger for the average Joe trying to compromise a cell phone.”
Nathaniel Couper-Noles, also a principal security consultant for Neohapsis, told SCMagazine.com on Tuesday that acoustic and visual side-channel attacks have been around for a while and, he added, more will undoubtedly pop up over time.
“Recently, a motion sensor was used in a proof-of-concept to infer passwords via rogue app,” Couper-Noles said.
He added, “The short version is there are a lot of ways that your password could get breached, whether you enter it in public or not. I think of mobile device passwords as akin to the locks on our doors – meant to keep good people honest. Real attackers will come through the windows, or take down the walls if they have to.”