Cyber researchers at UK’s Newcastle University have recently demonstrated how easy it is to steal a four-digit PIN by analyzing the way your phone tilts and moves as you type. According to AppleInsider, researchers say that web browsers don’t need to ask permission for most sensor data, and that motion data in particular can be used by hackers to learn many things about their targets.
The analysts, who used a JavaScript exploit to run the malware needed to gather data, showed that it was possible to crack a four-digit PIN with 70% accuracy on the first guess, and reach 100% accuracy by the fifth.
The researchers also revealed that companies like Apple and Google were alerted of the problem, but only Safari and Firefox have been “partially” fixed. Google is believed to be aware of the trouble, but without any fix so far.
Apple’s software fix came with iOS 9.3, released in March last year. That update also introduced Night Shift and secure Notes, while solving a security gap in iMessage. It proved problematic in its own right though, creating issues with Activation Lock and Web links that Apple had to fix in short order.
Apple also cited the researchers in question iOS 9.3’s security notes:
WebKit
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: A website may be able to track sensitive user informationDescription: A hidden web page may be able to access device-orientation and device-motion data. This issue was addressed by suspending the availability of this data when the web view is hidden.
CVE-ID
CVE-2016-1780 : Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of the School of Computing Science, Newcastle University, UK
The following video gives you an idea of how hackers can use motion sensor data to hack your phone’s PIN:
