Friday, May 24, 2024

Hackers can Recover Smart Phone PIN by combining Data Available in Sensors

Security PIN plays a vital role in protecting sensitive application such as banking applications, Wallets, and unlocking screen. It remains as a valuable asset to keep our data confidential.

Security researchers Nanyang Technological University, University of Applied Sciences and Cyber and Information Security Group, published a paper indicating that PIN can be reconstructed by combining the pieces of data available from the sensors.

Information Gathered from Sensors

In Smartphones, there are no permission restrictions(zero-permission) for sensors which may allow attackers to collect sensitive information from the sensors and reconstruct the PIN with a malicious app.

Researchers tested with the data collected from Accelerometer, gyroscope, magnetometer, proximity, barometer, ambient light, and rotation vector sensors to reconstruct the PIN.

The possibility of a PIN is between 0 to 9 and for entering PIN it requires users to move hand as well as tilting or rotating the smartphone and the smartphone also move therefore it is possible to find each specific number based on the hand movement by reading the information from sensors.

Also Read Acoustic Attack Against HDDs Can Cause Permanent Damage CCTV DVR, PCs, ATMs

Researchers say’s “they able to classify all 10,000 PIN combinations, results show up to 83.7% success within 20 tries in a single user setting. Latest previous work demonstrated 74% success on a reduced space of 50 chosen PINs, where we report 99.5% success with a single try in a similar setting.”

Attack Scenario

If attackers inject malicious code into victim smartphone it samples the sensor data and analyzes the acquired training data. then sampling done with unknown PINs and the classification is done based on the profile generated in the training phase and then the results are classified. Researchers published a PoC explaining technical details.

Researchers proposed Single Digit Classification approach and Cross-user Exploitation.The first approach is to use the complete data stream and to associate it to the combination of keys during the training phase and the second approach is to identify each digit in the sensor data individually.

Recover Smart Phone PIN

The cross-user setting is, that it allows the training to be done by different users than the attack. This increases the chances of successful attacks in practical scenarios, where a malicious application can learn from several users to recover PIN of a new user.

Researchers concluded that we used single-digit classification methodology to recover and the data acquired are used to train MLP neural network and the best results are obtained from the accelerometer.They believe the cross-user exploitation that it is possible to boost the success rate of the attack, by training with a pool of users and attacking one of them, rather than just training on the target user.

Preventive Measures – Recover Smart Phone PIN

Limiting the frequency of sensors may reduce the attack feasibility, also we can disable the sensors while entering the PIN.

However, it is a temporary one and researchers suggested to rethink sensors access in smartphones.With zero-permission sensors, attackers can go beyond PIN recovery.Attackers can learn user behavior, location etc.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles