Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
Insecure Smartphone Sensors: How Phones May Inadvertently Reveal Credentials

Insecure Smartphone Sensors: How Phones May Inadvertently Reveal Credentials

By Zoltán G.Zoltán G. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)

Normally we do everything to keep our smartphones intact: the device is put into a case, the screen is reinforced with a transparent film, and it might even be kept separately in a bag while out and about. We also take countermeasures to protect all the data saved to the phone’s storage too, by locking it with a pattern, a PIN code, a password or our fingerprint.

But according to Murphy’s law if something can go wrong, it’ll go wrong: plastic films won’t protect the screen from breaking, and PIN codes may not be as secure as you may think. Especially if an experimental app like the one developed by Singapore’s Nanyang Technical University (NTU) could simply unlock the smartphone by relying on the device’s sensors.

Betrayed by the sensors

In order for the smartphone to be… well, smart, the device is equipped with many sensors like a gyroscope, an accelerometer, a barometer or a magnetometer. These can detect various things from orientation, altitude, external light conditions, and the physical proximity to the human ear in order to lock the screen when calling someone.

So how do PIN codes come into this? According to Dr Shivam Bhasin, a senior research scientist at the NTU, this is because “when you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9”.

Using this knowledge Dr Bhasin and his team of researchers created an Android app that collected data from six of the smartphone’s sensors, which was then fed into an algorithm that also recorded the relevant sensor recordings.

Soon the algorithm was capable of giving different weightings of importance to each of the sensors, and this information was enough for the researchers to break into phones with a whopping 99.5% accuracy within three tries.

60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

This means that if an app working on the same principle as the one created by the NTU’s researchers were to be released, over time it would be able to learn PIN codes – or even passwords – just by simply tracking users’ data entry pattern.

Sensor data: no permission granted

Aside from creating this monstrosity of an app, the study has proved the danger that comes with the smartphone’s physical sensors are extremely vulnerable to hacker attacks, since they inadvertently provide access to apps without requiring permission from the user. In simpler words, by spying on sensor data, a malicious application could easily give away the most valuable of information, such as PIN codes and passwords.

According to Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, the solution is pretty simple: the phone’s OS should never give apps permission to access information from the phone’s sensors by default. Instead, it should be the users who choose whether they wish to permit the app to access sensor data.

A valuable moral for password managers

This study clearly shows that even the most trusted authentication methods like the PIN code can be compromised and it’s up to users and developers to prevent sensitive data from being stolen. Thankfully, the best password management solution providers have already realized this, and as a matter of fact most of the password managers that we have tested use Google Authenticator, an app that generates a random set of six-digit numbers that expire after a minute, therefore preventing malicious apps from ever guessing what the code is.

Still, password management apps for smartphones do provide the option to replace the default master password with a simpler four-digit PIN code. But now we’ve seen what the NTU’s app is capable of, it’s better to be safe than sorry and either switch to biometric authentication or stick to typing in the good old master password.


Best password managers of 2024

Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us