Hackers can Recover Smart Phone PIN by combining Data Available in Sensors

Security PIN plays a vital role in protecting sensitive application such as banking applications, Wallets, and unlocking screen. It remains as a valuable asset to keep our data confidential.

Security researchers Nanyang Technological University, University of Applied Sciences and Cyber and Information Security Group, published a paper indicating that PIN can be reconstructed by combining the pieces of data available from the sensors.

Information Gathered from Sensors

In Smartphones, there are no permission restrictions(zero-permission) for sensors which may allow attackers to collect sensitive information from the sensors and reconstruct the PIN with a malicious app.

Researchers tested with the data collected from Accelerometer, gyroscope, magnetometer, proximity, barometer, ambient light, and rotation vector sensors to reconstruct the PIN.

The possibility of a PIN is between 0 to 9 and for entering PIN it requires users to move hand as well as tilting or rotating the smartphone and the smartphone also move therefore it is possible to find each specific number based on the hand movement by reading the information from sensors.

Also Read Acoustic Attack Against HDDs Can Cause Permanent Damage CCTV DVR, PCs, ATMs

Researchers say’s “they able to classify all 10,000 PIN combinations, results show up to 83.7% success within 20 tries in a single user setting. Latest previous work demonstrated 74% success on a reduced space of 50 chosen PINs, where we report 99.5% success with a single try in a similar setting.”

Attack Scenario

If attackers inject malicious code into victim smartphone it samples the sensor data and analyzes the acquired training data. then sampling done with unknown PINs and the classification is done based on the profile generated in the training phase and then the results are classified. Researchers published a PoC explaining technical details.

Researchers proposed Single Digit Classification approach and Cross-user Exploitation.The first approach is to use the complete data stream and to associate it to the combination of keys during the training phase and the second approach is to identify each digit in the sensor data individually.

The cross-user setting is, that it allows the training to be done by different users than the attack. This increases the chances of successful attacks in practical scenarios, where a malicious application can learn from several users to recover PIN of a new user.

Researchers concluded that we used single-digit classification methodology to recover and the data acquired are used to train MLP neural network and the best results are obtained from the accelerometer.They believe the cross-user exploitation that it is possible to boost the success rate of the attack, by training with a pool of users and attacking one of them, rather than just training on the target user.

Preventive Measures – Recover Smart Phone PIN

Limiting the frequency of sensors may reduce the attack feasibility, also we can disable the sensors while entering the PIN.

However, it is a temporary one and researchers suggested to rethink sensors access in smartphones.With zero-permission sensors, attackers can go beyond PIN recovery.Attackers can learn user behavior, location etc.

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential…

4 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers, successful evaluations, and partnerships such…

6 hours ago

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education. The latest update, Wireshark 4.2.4,…

8 hours ago

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered platform designed to redefine how we…

8 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access. It's an…

9 hours ago

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…

12 hours ago