Passwords. They're both the most loved and most feared part of security: and, it turns out, they might not be all that secure.
According to research by a team at Nanyang Technological University (NTU) in Singapore, hackers can use ‘easily-accessible' information from a phone's sensors to determine a PIN code - and the method is successful more than 99 per cent of the time.
The team used a combination of data gathered from six different sensors, such as the accelerometer and gyroscope, with machine- and deep learning algorithms. They were able to unlock Android phones (using one of the 50 most common PIN numbers) within just three tries, with 99.5 per cent accuracy.
Before NTU's work, the previous best record was 74 per cent accuracy. This new technique, says the team, can be used to guess all 10,000 possible combinations of four-digit PINs.
The work is based on data gathered by the sensors, such as the light blocked by a finger when it is over the screen and which way the phone has been tilted. The researchers can use that information to model which numbers make up the pass code.
"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different, said team leader Dr Shivam Bhasin. "Likewise, pressing 1 with your right thumb will block more light than if you pressed 9."
Using these sensors requires no permissions to be given by the phone user; they are openly available for all apps to access. The team built a custom app and installed it on the phones to collect the data that they needed.
Professor Gan Chee Lip, director of the Temasek Laboratories at NTU, said: "This has significant privacy implications that both individuals and enterprises should pay urgent attention to."
The classification algorithm used utilises deep learning to increase success rates. While a malicious app using the same approach might not be able to correctly guess a PIN immediately after being installed, over time it would gather enough data to enable an attack.
Bhasin said that mobile operating systems should restrict access to the sensors used in the future. He added that using PIN codes with more than four digits, as well as other methods like biometrics or two-factor authentication, would increase security.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment