Researchers developed a script that correctly guesses smart device users' PIN entries 74 percent of the time on the first try, based on the device's sensor readings while the code is being entered.
Researchers developed a script that correctly guesses smart device users' PIN entries 74 percent of the time on the first try, based on the device's sensor readings while the code is being entered.

Researchers in the UK have uncovered a technique for malicious websites to spy on smart device owners and even decipher their screen touches and PIN number entries by secretly monitoring their devices' sensor data.

As part of their study, researchers from Newcastle University created a JavaScript-based web program called PINlogger.js that uses machine learning to perform a side-channel attack that guesses Android users' four-digit PIN numbers, based on how they maneuver and orient their devices while entering the codes.

A test of PINlogger.js using a sample set of 50 PINs found that the script was able to correctly guess a user's PIN 74 percent of the time on the first try, 94 percent of the time on the third attempt, and 100 percent of the time by the fifth try. Furthermore, PINlogger.js does not need to be trained on a specific user's typing patterns, and works regardless of the manner by which the user holds the device.

“Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it's quite easy to start to recognize tilt patterns associated with touch signatures that we use regularly," said senior research associate Dr. Siamak Shahandashti in a Newcastle press release issued on Tuesday.

In a paper published on Friday by the International Journal of Information Security, the researchers further warned that sensor data gleaned from phones, fitness trackers and other connected devices can also be used to determine the exact time that a user received a phone call and even what mode of transportation a person is using based on their movements (e.g. walking vs. bus vs. train).

Some of these attack scenarios could already be realistically pulled off today by cybercriminals, said research fellow and lead paper author Dr. Maryam Mehrnezhad, in an email interview with SC Media. "Recognizing simple patterns such as phone call timing, or physical activities (sitting, walking, running, etc.) can easily be practical," said Mehrnezhad. "For instance, you don't want an insurance company to know if you are an active person, or a lazy person."

According to the research report, many sensors and instruments within mobile devices – examples include the gyroscope, proximity sensor, rotation sensor and accelerometer – do not require the user's permission for a website or application to track their readings. Consequently, malicious websites that are compromised with PINlogger.js or similar embedded scripts can take advantage of this policy in order to spy on a user's mobile activities, with zero notification to alert the victim.

Depending on the browser, PINlogger.js in some cases doesn't even need the user to be actively viewing the browser tab that's displaying the malicious website. "On some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter," said Mehrnezhad in a the press release. “And worse still, in some cases, unless you close [the pages] down completely, they can even spy on you when your phone is locked."

According to the press release, certain mobile browser vendors including Mozilla (Firefox) and Apple (Safari) have "partially fixed the problem" in response to the research. As a precaution, Firefox now limits JavaScript access to motion and orientation sensors to only top-level documents and same-origin iframes, while Safari will not allow access to motion and orientation sensor data when the web view is hidden. "However, we believe the implemented countermeasures should only serve as a temporary fix rather than the ultimate solution," the report states.

SC Media has reached out to Apple and Mozilla for comment.

According to Mehrnezhad, device users need to be educated on the dangers of mobile sensor technology. "The problem [will] get more serious when smart kitchens, smart homes, smart buildings, and smart cities are equipped with multiple sensor-enabled devices connected via IoT," Mehrnezhad told SC Media.