Smart Phone Sensors Can Be Monitored by Hackers To Steal Passwords

Hackers Can Monitor Your Smart Phone and Steal Sensitive Data as such PasswordS!

Are you aware of the various types of sensors present within your smartphone? What about the data that is gathered by these sensors regarding your digital and physical activities? The truth is, the current crop of cellphones all contain a gamut of sensors, including the accelerometer, proximity sensor, magnetometer, pedometer, gyroscope, microphone, camera, and NFC. But now, scientists from Newcastle University have come across the startling revelation that the very same sensors can be used by hackers to guess passwords and PIN numbers with surprising accuracy. How is this possible? Well, according to the research team, the hackers gather data from the sensors, such as the motion and angle of your cellphone, during typing.

The problem is more acute than you think because there are plenty of malicious applications and websites that access different internal sensors inside your smartphone without any kind of permission in the first place. So, even when you access a protected site over HTTPS for entering your password, it makes no difference.

Related: How to Spy on Smartphones using this App

No Way to Prevent Apps from Gaining Access to Your Phone Sensor’s Data

Most of the time, smartphone applications will request your permission to access the sensors like microphone, camera, and GPS. However, in the past few years, the boom in fitness and gaming apps has led mobile operating systems to allow installed apps to allow data gathering from the various motion sensors, including the proximity sensor, the gyroscope, the accelerometer, and the NFC. However, this means that any dangerous application can utilize the data for its own negative purpose. The same goes for malicious websites.

This growing trend among mobile websites and apps to “listen in” secretly to your sensor data without your express permission can have serious consequences. It can be used for discovering a huge range of sensitive information, like physical activities, phone call durations, and even touch activities, like passwords and PIN numbers.

How an Attack Happens

The UK scientists conducted a number of tests and recorded video of an attack that collected data from almost 25 sensors present within the smartphone. The video clearly shows the malicious script gathering sensor data from an Apple device.

The scientists created a malicious JavaScript file that could access the sensors and track the usage data. This malicious script could easily be loaded onto a website or embedded within a website without the knowledge of the users. Once the user pays a visit to the rogue site or installs a malicious app, the attacker can spring into action. They begin recording whatever the victim types on their device while the malicious website or script runs in the phone’s background. The malicious script will not stop gathering data from the different sensors until it has the information required to guess the passwords and PIN. Once the right information has been identified, it is sent to the server of the attacker.

Identifying Passwords and PINs with Great Accuracy

Using the data collected from the orientation and motion sensors in 50 different devices, the researcher team was correctly able to identify four-digit PINs on their first try. While their accuracy was 74 percent at that point, it increased to 100 percent on the fifth attempt. The collected data also revealed to the scientists whether users scrolled or tapped, what part of the page they clicked on, and what was being typed on the mobile web page.

Related: Remotely Hack Any Smartphones

According to the researchers, this project was nothing more than a demonstration to raise awareness about the presence of sensors within the smartphones which apps often access without your permission. There are still many vendors who haven’t included restrictions for this in the regular built-in permissions system.

In spite of the risks, when asked about the sensors that concerned them the most, respondents were more bothered by their GPS and camera than the other silent sensors. The team has forwarded the results of their findings to the major browser providers like Apple and Google. The response has been quite positive so far, and some browsers like Safari and Mozilla have already taken measures to address the issue, at least partly so that users are better protected. However, the team is still hard at work, collaborating with the bigwigs within the industry to create a more effective solution.