Passwords. They're both the most loved and most feared part of security: and, it turns out, they might not be all that secure.
According to research by a team at Nanyang Technological University (NTU) in Singapore, hackers can use ‘easily-accessible' information from a phone's sensors to determine a PIN code - and the method is successful more than 99 per cent of the time.
The team used a combination of data gathered from six different sensors, such as the accelerometer and gyroscope, with machine- and deep learning algorithms. They were able to unlock Android phones (using one of the 50 most common PIN numbers) within just three tries, with 99.5 per cent accuracy.
Before NTU's work, the previous best record was 74 per cent accuracy. This new technique, says the team, can be used to guess all 10,000 possible combinations of four-digit PINs.
The work is based on data gathered by the sensors, such as the light blocked by a finger when it is over the screen and which way the phone has been tilted. The researchers can use that information to model which numbers make up the pass code.
"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different, said team leader Dr Shivam Bhasin. "Likewise, pressing 1 with your right thumb will block more light than if you pressed 9."
Using these sensors requires no permissions to be given by the phone user; they are openly available for all apps to access. The team built a custom app and installed it on the phones to collect the data that they needed.
Professor Gan Chee Lip, director of the Temasek Laboratories at NTU, said: "This has significant privacy implications that both individuals and enterprises should pay urgent attention to."
The classification algorithm used utilises deep learning to increase success rates. While a malicious app using the same approach might not be able to correctly guess a PIN immediately after being installed, over time it would gather enough data to enable an attack.
Bhasin said that mobile operating systems should restrict access to the sensors used in the future. He added that using PIN codes with more than four digits, as well as other methods like biometrics or two-factor authentication, would increase security.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition