Hackers Can Steal Your Passwords Just by Monitoring SmartPhone Sensors

Tuesday, April 11, 2017 Swati Khandelwal





Do you know how many kinds of sensors your smartphone has inbuilt? And what data they gather about your physical and digital activities?

An average smartphone these days is packed with a wide array of sensors such as GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few.

Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you enter either on a bank website, app, your lock screen – to a surprising degree of accuracy by monitoring your phone's sensors, like the angle and motion of your phone while you are typing.



The danger comes due to the way malicious websites and apps access most of a smartphone's internal sensors without requesting any permission to access them – doesn't matter even if you are accessing a secure website over HTTPS to enter your password.


Your Phone doesn't Restrict Apps from Accessing Sensors' Data
Your smartphone apps usually ask your permissions to grant them access to sensors like GPS, camera, and microphone.

But due to the boom in mobile gaming and health and fitness apps over the last few years, the mobile operating systems do not restrict installed apps from accessing data from the plethora of motion sensors like accelerometer, gyroscope, NFC, motion and proximity.

Any malicious app can then use these data for nefarious purposes. The same is also true for malformed websites.

"Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer," Dr. Maryam Mehrnezhad, the paper's lead researcher, said describing the research.

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."

Video Demonstration of the Attack
Scientists have even demonstrated an attack that can record data from around 25 sensors in a smartphone. They have also provided a video demonstration of their attack, showing how their malicious script is collecting sensor data from an iOS device.

The team wrote a malicious Javascript file with the ability to access these sensors and log their usage data. This malicious script can be embedded in a mobile app or loaded on a website without your knowledge.



Now all an attacker need is to trick victims into either installing the malicious app or visiting the rogue website.

Once this is done, whatever the victim types on his/her device while the malicious app or website running in the background of his phone, the malicious script will continue to access data from various sensors and record information needed to guess the PIN or passwords and then send it to an attacker's server.


Guessing PINs and Passwords with a High Degree of Accuracy
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy based on the data logged from 50 devices by using data collected from just motion and orientation sensors, which do not require any special permission to access.

The scientists were even able to use the collected data to determine where users were tapping and scrolling, what they were typing on a mobile web page and what part of the page they were clicking on.

Researchers said their research was nothing but to raise awareness to those several sensors in a smartphone which apps can access without any permission, and for which vendors have not yet included any restrictions in their standard built-in permissions model.

"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding," Mehrnezhad said. "So people were far more concerned about the camera and GPS than they were about the silent sensors."Mehrnezhad says the team had alerted leading browser providers such as Google and Apple of the risks, and while some, including Mozilla and Safari, have partially fixed the issue, the team is still working with the industry to find an ideal solution.

More technical details can be found in the full research paper, titled "Stealing PINs via mobile sensors: actual risk versus user perception," published Tuesday in the International Journal of Information Security.

You can now use an iPhone to log into a Windows 10 PC, Microsoft says

IDG News Service

• Sep 30, 2016 1:47 PM

Microsoft's Windows Hello is also coming to iPhones, the company says.

Apple's iPhone isn't always a good pairing for Microsoft's Windows 10 PCs, but you'll be able to use the phone's biometric authentication features to log into PCs.

Microsoft wants to kill passwords with Windows Hello, a technology that allows users to log into PCs by fingerprint, face, iris. or pattern detection. Beyond Windows 10 devices, the feature is also coming to devices, accessories, and apps that support Windows Hello.

Apple's iPhone will be able to use such an accessory or app to log in to Windows 10. At its Ignite conference this week, Microsoft said iPhone owners can use specific RSA SecurID authenticator tools on their devices to unlock Windows 10 PCs.

RSA uses gesture detection on the iPhone to log a user into Windows 10. On a trusted wireless network, the iPhone's RSA tool will automatically unlock a Windows 10 PC.

"There are other solutions coming for iPhone, too," Anoosh Saboori, senior program manager lead for OS security at Microsoft, said during a presentation at Ignite.

Microsoft believes biometric authentication is a hassle-free and secure way to access PCs and online services. There's no need to store passwords on a device.

Older Windows 10 PCs don't have fingerprint readers or infrared cameras, which are needed for biometric authentication. So Microsoft is promoting the development of devices and accessories that can connect to PCs and serve as secondary authentication devices.

The popular iPhone could serve as one such authentication device. Microsoft's Windows 10 Mobile smartphones can also be used to log into PCs and websites, but the company hasn't been selling many smartphones.

Microsoft talked about some innovative accessories that are companion Windows Hello devices. These devices have to be registered with a Windows 10 PC via a PIN and can authenticate users through USB, Bluetooth, or NFC connections.

The HID iCLASS Seos/Prox Embeddable Card looks like a regular employee badge that provides physical access to doors and buildings. But it can also be used to unlock a PC via NFC.

Yubico's YubiKey looks like a small thumb drive, but plugging it into a USB slot authenticates and logs a user into a PC. It supports multiple authentication and cryptographic protocols.

The Nymi Band smart band uses heartbeat or ECG to authenticate the user. A user needs to hold a finger on the band sensor, and the device authenticates and unlocks a PC via haptic feedback. The smart band works with PCs over Bluetooth and NFC connections.

The companion devices are primarily for unlocking PCs, not for logging into websites. To log into websites and apps, users need to be authenticated through biometrics on a PC. The credentials are verified against biometric information stored in a PC's security layer in the form of cryptographic keys.

In the future, it'll be possible to also lock PCs via Windows Hello, Saboori said. That feature could come next year.

Asus, Huawei, Fujitsu, HP, Lenovo, Xiaomi, Plantronics, Symantec, and other companies are developing devices for Windows Hello, Saboori said.

Microsoft is using authentication standards developed by FIDO Alliance, which boasts members companies like Intel, Google, ARM, Samsung, Visa, Bank of America, Qualcomm, RSA, and Lenovo.