Stealing PINs via Mobile Sensors
Most Smartphones, Tablets and other wearables are now packed with wide range of sensors such as GPS, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few. While these sensors can provide more features and functionalities to the end users, they also raise serious threats to the privacy and security of the users.
According to the new study published in International Journal of the Information Security, researchers at Newcastle University discovered such an attack that could allow hackers to potentially crack your PIN and other information by monitoring sensor’s data, like the angle and motion of your phone while you are typing or navigating through it.
How it works
The extent of vulnerability to various attacks varies browser to browser and to a lesser degree also depends on which operating system the browser runs on.
Browser provided by Chinese-US Web services company Baidu has the most chances of passing sensitive data from malicious websites open directly or in background tabs, even when the device screen is off. However Safari, Firefox and Google Browser for iOS restricted access to sensor data when the sites were loaded in background tabs.
Fix PinLogger.js Hack
Results were sent to the makers of these browsers. Mozilla and safari partially fixed the problem by suspending the availability of sensor data when pages are hidden but this also restricts the useful applications to run.
Although this in-browser attack via mobile sensor is new but the in-app vulnerabilities have been reported and exploited for years. Yet the problem is not fixed and this will probably expand with the rapid development in sensor-enabled devices in the IoT.
The Study concluded that designing a practical solution seems to be very complex hence a general mechanism for secure and usable sensor data management remains a crucial open problem for future research. To achieve a balance between Security and Usability, an extensive study is required towards designing a “permission framework”.
Another good read is the User Data made available by Maryam Mehrnezhad on reading sensor data upon entering 4 Digit PIN
[…] https://blog.drhack.net/motion-detection-pin-logger-hack/ […]