In a typical smartphone, there are about 25 sensors, often only a few millimeters in size, which make it a kind of digital Swiss pocket knife.
Magnetometer and Accelerometer make the device a compass, the barometer tells the fitness app how many levels you have already climbed, the brightness sensor automatically controls the display light, and the gyroscope registers rotations, such as rotating the screen or controlling games.
Researchers from Newcastle University have now shown that it is theoretically possible to conclude from some of these sensory data on information that should remain secret. From the motion data of the gyroscope, they were able to derive a four-digit PIN code with 70% probability in the first experiment. In the fifth trial, the hit rate was even 100 percent.
According to the researchers, the smartphone manufacturers are aware of this security risk. A solution or even the will to sacrifice user friendliness in favor of security, they would not have. In a press release, Maryam Mehrnezhad, the author of the study in the International Journal of Information Security, writes: “Because apps and websites do not need permission to access most of the sensors, malicious programs can” spy “the sensor data Sensitive information such as telephone times, physical and tactile activities such as PIN and passwords.
Hackers can easily misuse just the gyroscope that measures the rotations. The sensor is one of those, for whose use many apps do not have to ask as with Camera or GPS after permission. Every tap, every squeezing and pushing movement, every tilt of the phone leaves a unique pattern that can be interpreted.
Siamak Shahandashti, the co-author of the study, explains the danger: “It’s a bit like a puzzle, the more parts you put together, the better you can see the whole picture.” Each sensor contributes to the puzzle Of personal information is always better to recognize. “Personal fitness gadgets that transfer the movements of the wrist to an online profile are a whole new threat,” adds the scientist.
The researchers from Newcastle were able to show during the course of their study that a website or app, which activates sensors secretly, can grab data in some browsers as long as the tab remains open in the background – in some cases, even when the smartphone is in the blocked state.
Who then, for example, enters his online banking PIN, by his movements indirectly reveals the combination of numbers. “People are much more worried about the data of the camera or the GPS, the quiet sensors are usually underestimated,” says Mehrnezhad.
As early as 2011, researchers at the Georgia Institute of Technology demonstrated that the acceleration sensor or the microphone of an iPhone could translate keyboard strokes into actual words. For this, the smartphone had only to lie on the desk next to the desktop PC. And Stanford researchers were able to convert the motion sensor into a microphone in 2014 to listen to conversations.
To close security gaps like this, the researchers at Newcastle University also want to work with the industry. Until a solution comes in, users should be able to master security monitoring: keep the operating system up-to-date, change passwords regularly, close tabs, and download apps only from trustworthy sources.