Sunday, December 3, 2023

Hackers can Recover Smart Phone PIN by combining Data Available in Sensors

Security PIN plays a vital role in protecting sensitive application such as banking applications, Wallets, and unlocking screen. It remains as a valuable asset to keep our data confidential.

Security researchers Nanyang Technological University, University of Applied Sciences and Cyber and Information Security Group, published a paper indicating that PIN can be reconstructed by combining the pieces of data available from the sensors.

Information Gathered from Sensors

In Smartphones, there are no permission restrictions(zero-permission) for sensors which may allow attackers to collect sensitive information from the sensors and reconstruct the PIN with a malicious app.

Researchers tested with the data collected from Accelerometer, gyroscope, magnetometer, proximity, barometer, ambient light, and rotation vector sensors to reconstruct the PIN.

The possibility of a PIN is between 0 to 9 and for entering PIN it requires users to move hand as well as tilting or rotating the smartphone and the smartphone also move therefore it is possible to find each specific number based on the hand movement by reading the information from sensors.

Also Read Acoustic Attack Against HDDs Can Cause Permanent Damage CCTV DVR, PCs, ATMs

Researchers say’s “they able to classify all 10,000 PIN combinations, results show up to 83.7% success within 20 tries in a single user setting. Latest previous work demonstrated 74% success on a reduced space of 50 chosen PINs, where we report 99.5% success with a single try in a similar setting.”

Attack Scenario

If attackers inject malicious code into victim smartphone it samples the sensor data and analyzes the acquired training data. then sampling done with unknown PINs and the classification is done based on the profile generated in the training phase and then the results are classified. Researchers published a PoC explaining technical details.

Researchers proposed Single Digit Classification approach and Cross-user Exploitation.The first approach is to use the complete data stream and to associate it to the combination of keys during the training phase and the second approach is to identify each digit in the sensor data individually.

Recover Smart Phone PIN

The cross-user setting is, that it allows the training to be done by different users than the attack. This increases the chances of successful attacks in practical scenarios, where a malicious application can learn from several users to recover PIN of a new user.

Researchers concluded that we used single-digit classification methodology to recover and the data acquired are used to train MLP neural network and the best results are obtained from the accelerometer.They believe the cross-user exploitation that it is possible to boost the success rate of the attack, by training with a pool of users and attacking one of them, rather than just training on the target user.

Preventive Measures – Recover Smart Phone PIN

Limiting the frequency of sensors may reduce the attack feasibility, also we can disable the sensors while entering the PIN.

However, it is a temporary one and researchers suggested to rethink sensors access in smartphones.With zero-permission sensors, attackers can go beyond PIN recovery.Attackers can learn user behavior, location etc.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles