Hackers could #crack your #PIN number in just #THREE attempts using #data from #motion and #light #sensors installed on #smartphones

The sensors built into your phone could help a hacker correctly guess your PIN in just three attempts.

Researchers have built a new algorithm that reveals a person’s passcode using data from six smartphone sensors.

This data allows hackers to study the tilt of the phone and how much light is being blocked by the user’s fingers, helping reveal a four-digit pin number.

The technique has been shown to unlock Android smartphones with a 99.5 per cent accuracy within three tries, when trying to guess the 50 most common PIN numbers.

The previous best phone-cracking success rate was 74 per cent.

Co-author of the study Dr Shivam Bhasin from Nanyang Technological University, Singapore (NTU Singapore) said: ‘When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different.

‘Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.’

The team took Android phones and installed a custom application which collected data from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.

The algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone, which recorded their entries.

The method can be used to guess all 10,000 possible combinations of four-digit PINs.

Researchers found that as more people were analysed, the success rate was boosted as the algorithm learned more about their tendencies.

The sensors needed to gather the vital information are open-access, which means any apps can access them without authorisation.

The scientists worry that this opens a door for malicious apps to get through phone user’s security.

Although everyone enters their PIN differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates improved.

This means that while a malicious application may not be able to correctly guess a PIN immediately after installation, it could collect data from thousands of users and then launch an attack once it has learnt their behaviours.

The algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone, which recorded their entries.

Known as deep learning, the classification algorithm was able to give different weightings of importance to each of the sensors, depending on how sensitive each was to different numbers being pressed.

Dr Bhasin advises mobile operating systems to restrict access to these six sensors in future, so that users can actively choose to give permissions only to trusted apps that need them.

Dr Bhasin also advises users to use PINs with more than four digits, combined with one-time passwords, two-factor authentications and fingerprint recognition.

Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU Singapore, said this study shows how devices with seemingly strong security systems can be attacked using malicious applications to spy on user behaviour.

He said: ‘Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour.

‘This has significant privacy implications that both individuals and enterprises should pay urgent attention to.’