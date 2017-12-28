Security researchers are warning smartphone users that malicious applications can access sensor data tracked by the handsets and use the information to reveal the PIN used to secure the device.

The attack can be carried out against Android and iOS devices and do not require the attackers to gain special access form the user according to research published from the Nanyang Technological University (NTU) in Singapore.

Three scientists from the university displayed how easy it is to gain access to sensitive information collected by sensors embedded in most modern smartphones by creating an app of their own and installing it on a number of devices.

The app, built for Android, was able to silently collect data from six separate sensors: the accelerometer, used for measuring acceleration; gyroscope, used to measure orientation; magnetometer, which measure magnetism; proximity sensor, which can detect the presence of nearby objects without physical contact; barometer, used to measure atmospheric pressure; and ambient light sensor, which can detect levels of environmental lighting.

All of those sensors serve their own purpose to help the device function—the accelerometer is essential for fitness tracking and the ambient light sensor can adjust a screen’s brightness to preserve battery, for instance—but also can collect potentially revealing information from the device’s user.

An algorithm built into the app created by researchers analyzed collected from the smartphone sensors and used that information to identify different keystrokes made by the user on the touchscreen. That information could reveal a user’s password or PIN used to unlock their device.

The researchers used sensor data from 500 random samples to attempt to determine if the algorithm could decode the user’s PIN. The algorithm was able to guess the PIN code on the first try with 99.5 percent accuracy—an improvement over a previous test that produced a success rate of 74 percent.

That troublesome success rate does come with a caveat: the PINs used within the researcher were from a list of the 50 most common PIN numbers. When expanded to the full range of possible PIN combinations—there 10,000 possible 4-digits combinations that can be made with the numbers zero through nine—the success rate dropped.

Even with the full range of possible PINs in play, the algorithm was still able to guess a user’s PIN within 20 tries 83.7 percent of the time.

The researchers also warned that the methodology could be scaled to longer PINs. That would present a troubling development, as longer PINs are often considered more secure; they consist of more digits and become harder to crack through brute force or guessing-based attacks. Because the attack laid out by researchers isn’t a matter of guessing but rather deciphering user actions using sensor data, it doesn’t matter how long the PIN code is.

Making the attack all the more troubling is the fact that accessing sensor data often does not require the user to grant the app special permissions upon being installed. Access to those sensors are mostly unfettered.

Apple and Google could mitigate the malicious use of sensor data by adding permissions requests before allowing apps to access the information. Until then, users will have to hope they aren’t accidentally revealing personal information about themselves every time they touch their device’s screen.