Security is an issue that concerns us all. Companies have taken great pains to make our mobile devices more and more hermetic, allowing us to move our privacy away from other people’s eyes through passwords, patterns, PINs, fingerprints, iris, and facial scanners. However, these measures are not perfect and far from guaranteeing total security, and a recent study demonstrates this. If you are someone who uses a PIN, keep reading because you are not protected.
A study carried out by the Nanyang Technological University (NTU) of Singapore has discovered a new and huge security breach that hackers can exploit to guess your PIN. How? Almost all Android devices use the sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.
With the information obtained from these six different sensors and a sort of machine learning and deep learning algorithms, NTU researchers have managed to unlock any Android smartphone protected with a PIN with a 99.5% success rate. In only three attempts, enough so that the device does not lock and that’s just testing with the 50 most common PIN numbers.
To date, the best results in cracking of smartphones have been a 74% accuracy with the 50 most commonly used PINs. The technique developed by the NTU can be used to guess and work in each of the 10,000 possible combinations that can be done with four digits. The study, led by Dr. Shivam Bhasin, Senior Research Scientist at NTU’s Temasek Laboratories, used the data obtained from the above-mentioned sensors to guess what numbers had been clicked by the user, based on the phone’s tilt and how much light was blocked by the fingers when pressing said buttons.
When you hold your phone and enter the PIN, the way in which the phone moves when you press 1, 5 or 9 is different. So, pressing button 1 with your right thumb blocks more light than when you press button 9. – Dr. Bhasin, project researcher
The classification algorithm they developed was trained with data obtained from three people who entered a set of 70 four-digit PIN codes in a random way while collecting information from the sensors. The algorithms gave a given importance to each sensor depending on how sensitive it was according to the number being pressed, which helped to eliminate false positives and increase the success rate.
It is not the first time that we find vulnerabilities in the sensors. Recently it was discovered that using information of public access crossed with the data of the sensors of our smartphone could geolocate us with a lot of ease. Both this research and this concludes that it is necessary for applications to request permission to access these components.
Finally, Dr. Bashin states that users who have a PIN should try to make it more than four digits as much as possible or use other authentication methods, such as passwords, fingerprints or face recognition. What is clear is that it seems that we are not as safe as we think, and something as simple as the light that covers our thumb at the press of a button can reveal our password and provide access to all our data.
