Is your smartphone really a phone or just a tinier computer? It’s a question that’s getting increasingly harder to answer as the people engage with their handheld devices more in areas that were traditionally reserved for desktop or notebooks. To support a wealth of rich features and technologies like sharp graphics and tactile feedback, smartphones have grown to be very well equipped with all sorts of sensors. The more complex the machine, however, the greater the security risk.
Case in point: British researchers from Newcastle University showed that simply by monitoring and interpreting data recorded by a phone’s sensors like the accelerometer, gyroscope, or magnetometer, they could infer a person’s four-digit PIN. When people tap in their PIN, the phone has a distinct orientation and motion which can be used to guess the code.
The team led by Maryam Mehrnezhad developed an artificial neural network — algorithms loosely modeled after the neuronal structure of the human brain — to guess the PIN from input sensor data. The team proved last year that they could access it by attacking the phone through a javascript exploit delivered through the phone’s browser. A user only had to click on a link for an attacker to get hold of all the sensor data, and this worked even if the phone was locked after the link was clicked on for some browsers like Apple’s Safari.
The system was initially trained with sensor data sourced from controlled smartphones where the PIN was known. After a couple of rounds, the researchers were able to figure out a user’s PIN 74 percent of the time on the first try. On the third try, the number rose to 94 percent, the researchers reported in the International Journal of Information Security. Does that shock you? I’ve heard crazier things. Last year, researchers stole data from computers by using little more than the sound emitted by the cooling fans inside.
Mehrnezhad says they’ve informed all the browsers of the exploits and these have reportedly been fixed but that’s not to say there aren’t other loopholes.
“A combination of different approaches might help researchers devise a usable and secure solution. Having control on granting access before opening a website and during working with it, in combination with a smart notification feature in the browser would probably achieve a balance between security and usability,” the researchers recommended in their paper.
The study clearly shows smartphones are a lot more vulnerable than some people care to think. The fact that smartphone data is so tempting will make attacks even more common and sophisticated. Ten years ago, if your computer got hacked you risked a lot of damage like having your emails scrapped or credit card information stolen. When this happens to a smartphone today, you lose that and much more. That’s because our smartphones are far more intimate connoisseurs of our lives. We bring them with us everywhere, use them to instant message friends, buy things online, navigate surroundings, and so on. If someone knows what they’re doing they can learn more about you and your darkest secrets maybe even better than yourself.
It’s not only smartphone users that should be worried. Everything is getting ‘smarter’. All major cities, especially those that are designed from the ground-up today like some experiments in Dubai or Singapore, will be crowded with sensors that record everything from pollution, to the weather, to traffic. Then, there are networked driverless cars, thermostats, fridges, or even toasters collectively classed under the Internet of Things (IoT). This huge wealth of data will make our lives better but at the same time companies need to be aware of the rising security vulnerabilities.