Smartphone PIN
The driver types the PIN code to open the rented Smart Car2Go car via the app at a parking center in Berlin, Oct. 26, 2017. Carsten Koall/Getty Images

If there are things you can trust to not change, that hackers will always be looking for new exploits in security systems is sure to be on that list. Thankfully, there are also those in the security company working toward keeping a step ahead of the would-be hackers.

A new study by researchers from Singapore’s Nanyang Technological University found hackers could use data collected by various sensors in the device to guess the smartphone’s PIN. Instruments like the “accelerometer, gyroscope and proximity sensors represent a potential security vulnerability,” according to an NTU statement Tuesday.

To prove their point, the researchers took the data gathered by six sensors on Android smartphones and ran it through machine-learning and deep learning algorithms. Following that, they managed to unlock the devices with 99.5 percent accuracy in just three attempts. As a caveat, the phones had among the most commonly used 50 PIN combinations. But it was still an impressive feat, given that the previous phone-cracking record using the most common 50 PIN combinations was a success rate of 74 percent.

The research is based on the fact that pressing different keys on a smartphone’s numeric keypad tilts the phone at different angles and blocks varying amounts of light.

“When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9,” Shivam Bhasin, who led the 10-month study, explained in the statement.

To reach their conclusion, the researchers first installed a custom app on the smartphones to collect data from six sensors — accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor. They then had three people feed 70 random four-digit PIN combinations each into a deep learning classification algorithm which also recorded data from the sensors.

Based on this information, the algorithm identified which sensors were affected more when people entered PIN combinations, depending on the varying sensitivities of the sensors and differences in the way individuals enter the PIN. As more data was gathered, the success rate of the algorithm guessing the PIN improved.

Since the use of sensors by apps doesn’t require any explicit permissions from users, any app with a malicious code, if installed on a large number of smartphones, could access the sensors and gather data from them, eventually becoming capable of guessing the PIN combinations of many devices.

In Bhasin’s opinion, people should use more than four digits for a PIN, or use other authentication methods for their smartphones. He also said that mobile operating systems should restrict access to the six sensors tested by the NTU researchers to only trusted apps.

Gan Chee Lip of NTU, who was not directly involved with the study, said in the statement: “Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour. This has significant privacy implications that both individuals and enterprises should pay urgent attention to.”

The open-source paper, titled “There Goes Your PIN: Exploiting Smartphone Sensor Fusion Under Single and Cross User Setting,” appeared online Dec. 6 in the Cryptology ePrint Archive, maintained by the International Association for Cryptologic Research.