Major tech firms including Google, Firefox and Apple are reportedly working with a team of researchers from the UK's Newcastle University who found evidence that hackers may be able to steal PINs and passwords by analysing how devices are held.
Cybersecurity experts suggest in a new study that the growing number of motion sensors in our mobile phones may be putting our personal data at risk. They warned that out of 25 sensors in phones only a small amount ask the user to give them permission to access the device.
By analysing the movement of the device as information is typed, the team said it was possible to "crack" four-digit passwords with 70% accuracy on the first guess and 100% by the fifth – all due to the information recorded up by the phone's internal sensors.
The study found each user touch action – clicking, scrolling, holding and tapping – can be monitored and tracked. On a known webpage, the team claimed to be able to determine what part of the page the user was clicking on and even what they were typing.
"Smartphones, tablets, and other wearables are equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope," said Dr Maryam Mehrnezhad, lead author of the study.
He continued: "Malicious programmes can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.
"More worrying, on some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.
How to stay secure:
- Close background apps when you are not using them and uninstall unsed apps
- Keep your phone's operating system and apps up to date and only install applications from approved app stores
- Audit the permissions that apps have on your phone and scrutinise all permissions requested
"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked."
Mehrnezhad added that despite the real risks, the general public appears to be more concerned about camera and GPS sensors over their more covert cousins.
The power of 'tilt patterns'
"It's a bit like doing a jigsaw – the more pieces you put together the easier it is to see the picture," said Dr Siamak Shahandashti, a senior research associate and co-author on the study, published in the International Journal of Information Security.
He added: "Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it's quite easy to start to recognise tilt patterns."
The team's next target of investigation will be fitness trackers, which also take advantage of sensor technology to operate, and store an increasing amount of user data. Shahandashti hypothesised these "pose a whole new threat" due to the type of movement records they store.
Major firms including Google and Apple have been informed, but the experts said no full fix has been developed – yet. Some mobile browsers have reportedly "partially fixed the problem" but Mehrnezhad noted: "It's a battle between usability and security."