UK boffins steal smartmobe PINs with motion sensors

W3C API exposes sensors, so attackers only need JavaScript to follow your fingers

By Richard Chirgwin


Updated with Apple fix The World Wide Web Consortium might want to take another look at its habit of exposing too much stuff to application interfaces: a UK researcher has demonstrated a JavaScript app can spy on smartphone sensors to guess the codes users employ to unlock the devices.

The attack, published in the International Journal of Information Security, wouldn't be possible if it weren't for a convenient API to motion sensors.

The researchers, led by Dr Maryam Mehrnezhad of Newcastle University in the UK, found that a JavaScript app can get enough information from motion sensors to crack 70 per cent of four-digit PINs at the first try.

By the third attempt, Mehrnezhad's “PINlogger.js” script is correctly guessing 94 percent of PINs.

As he explains in the Newcastle University media release, “mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords”.

If a user was tricked into loading the PIN-logger into one tab of a browser, and ran a banking app in another tab, Mehrnezhad reckons the script can also snoop on their bank logins.

The paper explains that vendors probably didn't think in-browser access to motion sensors would be so revealing because of their low sampling rates.

Mehrnezhad's team had already identified single digits from smartphone sensors, including “click, scroll, and zoom and even the numpad’s digits”. With PINlogger.js, the group extends their work to capturing 4-digit sequences.

“W3C specifications do not specify any policy and do not discuss any risks associated with this potential vulnerability,” the paper notes.

The Register has previously noted the W3C's aggressive attitude to exposing new and intrusive interfaces to Websites. Privacy researcher Lukasz Olejnik has highlighted potentially harmful Web APIs for battery charge and Bluetooth devices.

Mehrnezhad doesn't call for review or removal of the APIs, but says browser providers haven't yet come up with a solution. ®

Update: Apple didn't make any noise about it, but it's blocked this issue in its latest round of security updates. It now bars access to sensor information unless the Web view is active. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcry

Nightly build fans' hostname lookups piped to Cloudflare in limited security feature trial

Pwn goal: Hackers used the username root, password root for botnet control database login

These are not the criminal geniuses you were expecting

The DNS was designed for diversity, but site admins aren't buying

Harvard bods warn: if you want to avoid a big outage, use more than one DNS provider

Hot new application for blockchain: How does botnet control sound?

BSides Tel Aviv It could happen, warns researcher

New Mirai botnet species 'Okiru' hunts for ARC-based kit

Researchers: Code designed to hit Linux devices

Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Fancy website, code emitted – Roku, Google, etc stuff at risk

OMG, that's downright Wicked: Botnet authors twist corpse of Mirai into new threats

Infamous IoT menace lives on in its hellspawn

Fresh botnet recruiting routers with weak credentials

With a special HNAP exploit just for D-Link kit

Sorry spooks: Princeton boffins reckon they can hide DNS queries

'Oblivious DNS' decouples users from the sites they visit

Get the FTP outta here, says Firefox

Apparently someone still uses src to suck content into web pages from FTP servers