The Sensors in Your Phone Are Giving Hackers Your Passwords & Other Secret Information
It's safe to say most of us know the dangers of online security. We know there are people trying to steal our most sensitive information, and we try our best to prevent that theft. But new research is showing what we're doing might not be enough, as the sensors in our phones may be telling hackers everything they want to know.
Newcastle University in the United Kingdom has discovered ways for personal information to become compromised using the sensors built into our phones. Because the phone records motion data as we type passwords and PIN numbers into webpages and more, hackers could potentially guess a four-digit password on the first try at a rate of about 70%. If that isn't shocking enough, after five attempts, that rate shoots to 100 percent.
Dr. Maryam Mehrnezhad, who is a Research Fellow in the School of Computing Science, was involved in writing the paper on the security issue.
Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer. But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.
In other words, apps and websites can monitor your phone's internal sensors, and if they were embedded with a certain type of malicious code, they could use this information to guess a PIN or password you entered. Of the 25 sensors discovered to be playing a part in this issue, only a few actually ask the user for permission before activating for certain apps. The rest are always on by default.
The report details how every moment we make with our phones, including every tap, gesture, or scroll, can be stored and used as clues for identifying personal information, or how users enter that personal information. According to the report, fitness bands are also a contributing risk, as they, by design, record how we move and when.
At the moment, there is no practical solution to prevent these attacks. Apple and Google, among other browser-producers, have been contacted about the issue, and have been working with the cyber team at the university. Reportedly, some have produced so-called "partial-solutions," but nothing complete.
Until a true solution is available, the Newcastle University team has detailed preventative measures you can take to protect yourself from this type of theft:
- Make sure you change PINs and passwords regularly so malicious websites can't start to recognise a pattern.
- Close background apps when you are not using them and uninstall apps you no longer need
- Keep your phone operating system and apps up to date
- Only install applications from approved app stores
- Audit the permissions that apps have on your phone
- Scrutinise the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed
It's certainly an interesting and unexpected wrinkle in the ongoing saga of mobile security, so as always, stay safe!