Your PIN is at risk if you enter it while holding your phone

Mobile phone security


Malicious attacks and technology go hand-in-hand but you might be surprised to know that holding your phone while entering a PIN or Password, could be putting you at risk of just such a malicious attack.


A research team at Newcastle University has just published a paper in the Journal of Information Security and Applications, confirming that they have been able to successfully administer this kind of attack.


How the malicious attack works


This new threat to your security PIN or Password exploits a weakness in mobile browsers such as Chrome, Firefox, Opera and Safari, along with many others. With these mobile phone browsers it is possible to embed code into a webpage so that it can gain access to the orientation and tilt sensors, without requiring user permissions.


This makes it possible for a remote website in an inactive tab, iframe or minimised browser to collect and analyse sensor data, even when the phone is locked.


Using this data, TouchSignatures malicious JavaScript code is able to learn the clients user activities and with a 70% success rate it can identify PIN digits on Android devices and 56% on iOS devices. These figures are on the first guess and the success rate increases to 100% by the fifth guess.


The malicious code can work out which part of a known page the user is clicking on and what they are typing, simply through the natural tilts that happen as the user uses the phone in their hand.


The team states that neither Google nor Apple have been able to come up with an answer to the problem so far.


Our logic however, suggests that if you are concerned by this type of malicious attack, then simply place you phone onto a fixed surface, like a table, prior to entering your PIN or Password. We should also point out that the risks are very small indeed as to get such high PIN cracking success rates, the team first monitored users entering a known PIN on more than 50 occurrences.


Next: Sony Xperia XZs review



Comments are closed.