Feeds

back to article Snooping on movement can reveal smartphone PINs

It’s not the first time boffins have proposed the use of smartphone accelerometers as an attack vector, but it’s scarily efficient: with as few as five guesses, Swarthmore College researchers say they can use phone moments to reveal user PINs. As noted in his paper (PDF - Practicality of Accelerometer Side Channels on …

COMMENTS

This topic is closed for new posts.
Silver badge
Boffin

2-step verification

Google has been pushing users to turn on 2-step verification on all Android phones and all other Google services for months now. By implementing simple security techniques like choosing a relatively complex unlock pin, changing unlock pins occasionally, and setting up the phone to automatically delete non-essential cookies daily, an Android phone with 2-step verification implemented throughout the user's Google services is a fairly secure device.

1
3
Bronze badge

Pin code but with a randomised keypad instead of a standard layout. If the location of, say, the number "4" changes every time the PIN is entered then this attack is rendered pretty much moot.

18
0
Bronze badge
Go

I've seen this done on a website. Not sure what the point was there, but it's a great idea to prevent this phone exploit.

2
0
Gold badge
Thumb Up

Sounds good and simple

"Pin code but with a randomised keypad instead of a standard layout."

I wonder if most devs code their own keypads or if it's bought in from a 3rd party. In which they'd have to offer the option and the devs would have to pick it up.

Of course it would play havoc with anyone with vision problems but I presume a vocal version could be worked out for them as well.

0
0
Bronze badge
Alert

"Pin code but with a randomised keypad instead of a standard layout"

Won't that make entering the code slower and therefore more vulnerable to shoulder-surfing (or CCTV-surfing)?

1
0
Silver badge

@Martin Budden

"I've seen this done on a website. Not sure what the point was there"

Was it an online banking site? If so, the point is to stop the possibility of a trojan monitoring the position of your mouse pointer when you click on the characters of your password on screen.

1
0
Bronze badge

re: more vulnerable to shoulder-surfing

Except the spy would have to note the number of each pressed key, rather than just its position on the keypad - swings and roundabouts?

2
0
Silver badge
Alert

No swiping for unlocking please

On the tram in the morning I can easilly follow the swipe codes of someone a few metres away. The image that it creates is easy to visualise and remember. For some strange reason many people tend not to hide their screen from prying eyes at that moment.

The viewing angle on sopme phones is also quite large which doesn't help in hiding whats being typed/swiped on those LARGE dots/numbers.

4
0
Anonymous Coward

Re: No swiping for unlocking please

In my flavour of Android (ICS on SGS2), the visual cues of pattern unlock can be disabled

2
0

Re: No swiping for unlocking please

Yep, very easy to disable the visual tracing. Maybe they should make that the default?

1
0
Anonymous Coward

Probability

"In controlled settings ... with the participants sitting still] our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns."

The key here is that the test set was 50, rather than the more typical 10,000 for a four digit pin.

If you had 50 marbles, numbered 1 to 50, there would be a 10% chance of selecting a specific desired number with any 5 random selections from a set of 50. So 43% is only four times better than random guessing. Does the software know what the valid 50 numbers are, and pick the closest match? If so, the results are not impressive.

0
0
Bronze badge

Re: Probability

With random guessing you wouldn't be getting closer to the target each time.

0
0
Bronze badge

Re: Probability

If you had 50 marbles, numbered 1 to 50, there would be a 10% chance of selecting a specific desired number with any 5 random selections from a set of 50. So 43% is only four times better than random guessing. Does the software know what the valid 50 numbers are, and pick the closest match? If so, the results are not impressive.

Whoa there... the number 50 is the size of their test sample, and nothing to do with the number of possible PINs, so your probability calculation is meaningless. In other words, their program is being asked to guess what the PIN is, and not "guess which one of these 50 known patterns/PINS" we've given you".

The way you should look at it is that each random PIN guess (having no accelerometer hints) would be right 1/10,000 of the time (ie, 0.0001). If they can guess the PIN 43% of the time with 5 guesses, then their success rate per guess is 0.43 / 5 or 0.086. So in fact their ability to guess a PIN is actually 0.086 / 0.0001 = 860 times better than chance, not four times better!

2
0
Black Helicopters

And not just your pincode

There was a fascinating presentation at a recent Cambridge Wireless event by Laurent Simon of the Cambridge University Computer Lab, who not only pointed this out, but also the fact that it's pretty easy to tell whether the user is male or female, as you get very different accellerometer signals depending on whether you carry your phone in your pocket or your handbag. And it doesn't take much imagination to realise there a lot more you can pick up about what the user's doing.

You can download his presentation from http://bit.ly/WDpWgI

0
0
Bronze badge
WTF?

Toto: So where *are* we then ?

This is interesting Social Engineering.

The first (very expensive) Telephone lines were Party Lines. The Telephone Exchange and the Telephone Booth were invented nearly simultaneously. Hmmmm ... So you have an expensive Party Line assuring that your well heeled competitors can listen in, but you "trust" them because they are well heeled like you, but you are relieved when the riff-raff can't listen in to one side of the business you are conducting.

I'm so glad to hear that the hip wired nerds are so much smarter than the elite used to be :-)

0
0
This topic is closed for new posts.