Researchers in the UK have uncovered a technique for malicious websites to spy on smart device owners and even decipher their screen touches and PIN number entries by secretly monitoring their devices' sensor data.
A test of PINlogger.js using a sample set of 50 PINs found that the script was able to correctly guess a user's PIN 74 percent of the time on the first try, 94 percent of the time on the third attempt, and 100 percent of the time by the fifth try. Furthermore, PINlogger.js does not need to be trained on a specific user's typing patterns, and works regardless of the manner by which the user holds the device.
“Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it's quite easy to start to recognize tilt patterns associated with touch signatures that we use regularly," said senior research associate Dr. Siamak Shahandashti in a Newcastle press release issued on Tuesday.
In a paper published on Friday by the International Journal of Information Security, the researchers further warned that sensor data gleaned from phones, fitness trackers and other connected devices can also be used to determine the exact time that a user received a phone call and even what mode of transportation a person is using based on their movements (e.g. walking vs. bus vs. train).
Some of these attack scenarios could already be realistically pulled off today by cybercriminals, said research fellow and lead paper author Dr. Maryam Mehrnezhad, in an email interview with SC Media. "Recognizing simple patterns such as phone call timing, or physical activities (sitting, walking, running, etc.) can easily be practical," said Mehrnezhad. "For instance, you don't want an insurance company to know if you are an active person, or a lazy person."
According to the research report, many sensors and instruments within mobile devices – examples include the gyroscope, proximity sensor, rotation sensor and accelerometer – do not require the user's permission for a website or application to track their readings. Consequently, malicious websites that are compromised with PINlogger.js or similar embedded scripts can take advantage of this policy in order to spy on a user's mobile activities, with zero notification to alert the victim.
Depending on the browser, PINlogger.js in some cases doesn't even need the user to be actively viewing the browser tab that's displaying the malicious website. "On some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter," said Mehrnezhad in a the press release. “And worse still, in some cases, unless you close [the pages] down completely, they can even spy on you when your phone is locked."
SC Media has reached out to Apple and Mozilla for comment.
According to Mehrnezhad, device users need to be educated on the dangers of mobile sensor technology. "The problem [will] get more serious when smart kitchens, smart homes, smart buildings, and smart cities are equipped with multiple sensor-enabled devices connected via IoT," Mehrnezhad told SC Media.