Feeds

Snooping on movement can reveal smartphone PINs

Accelerometer as attack vector

Beginner's guide to SSL certificates

It’s not the first time boffins have proposed the use of smartphone accelerometers as an attack vector, but it’s scarily efficient: with as few as five guesses, Swarthmore College researchers say they can use phone moments to reveal user PINs.

As noted in his paper (PDF - Practicality of Accelerometer Side Channels on Smartphones, lead author Dr Adam Aviv says phones' movements have been investigated as an attack vector before. Prior work has, however, used the phone’s gyroscope – or a combination of gyro and accelerometer – as the input sensor, and with relatively low accuracy (he cites a test that gave a worst case needing 81 guesses to arrive at the correct PIN).

This new study collected 9,600 samples from 24 users both sitting and walking, and tested both pinpad and swipe-pattern data entry. The data-gathering apps installed on the test phones captured the phones’ movements during PIN/swipe entry, and matched these against a database of known patterns:

“In controlled settings ... with the participants sitting still] our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns. In uncontrolled settings, while users are walking, our model can still classify 20% of the PINs and 40% of the patterns within 5 attempts.”

The paper suggests that accelerometer data should be denied to untrusted applications “when sensitive touchscreen input is being provided to other applications” – noting, however, that the all-or-nothing model for trusting Android applications is insufficient to protect against such attacks.

The phones tested in the study were the Nexus One, Nexus S, HTC’s Droid Incredible, and the T-Mobile G2. ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?