Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 916
- Points
- 113
British researchers have demonstrated how JavaScript can be used to track the movement of a user's fingers - for example, when unlocking smartphones. According to the researchers, in 70% of cases their program was able to figure out the four-digit PIN the first time. The third time, the program “guessed” the unlock code in 94% of cases.
Watch your fingers
Security researchers from Newcastle University in the UK published a paper in the Journal of Infermation Security that described the ability to track user gestures on smartphones. To do this, you only need a small JavaScript application that exploits the device's motion sensor programming interfaces ( APIs ) .
According to the authors of the study, this application can collect enough information from sensors to figure out the unlock combination on the first try in 70% of cases. On the third try, the PINlogger.js script “guesses” the PIN in 94% of cases.
“Most smartphones, tablets and other wearable devices today are equipped with a variety of sensors, ranging from the well-known GPS modules, cameras and microphones to gyroscopes, range and rotation sensors, accelerometers, and NFC modules . Because mobile apps and websites don't require special permissions to access most of them, malware can secretly spy on your sensor data streams and use it to obtain a wide range of sensitive information about you, including call duration and physical activity. and even... about PINs and passwords,” the researchers said in their publication.
And that is not all
As the head of the research group, Dr. Maryam Mehrnezhad , noted in a press release , her colleagues were able to find out that in several mobile browsers, malicious code embedded in one page can monitor all user actions on all other tabs. That is, for example, if a resource containing a malicious script is open in one tab, and a bank authorization page is open in another , then the script can still intercept user-entered data. Sometimes closing the “malicious” tab will help prevent this, sometimes only closing the browser entirely.
Today, smartphones are equipped with an average of 25 different sensors . Websites and third-party applications ask the user for permission to use only a small part of these sensors - camera, microphone , GPS and a few others. The remaining sensors are used in the background without the users knowledge.
In this case, each touch of the user’s fingers on the touchpad on the device’s display is recorded as a unique data stream, including information about the orientation and movement of the device in space.
"It's like putting together a jigsaw puzzle - the more pieces you put together, the better the overall picture becomes clear," said study co-author Dr Siamak Shahandashti . - Depending on how we type on a smartphone - holding it in one hand and using only the thumb of the same hand or the fingers of the other; Whether you simply touch or swipe the screen, the device will tilt in one direction or another, and gradually it becomes very easy to notice the patterns of its movement associated with regular “touch signatures.”
According to Shahandashti, different sensors can provide a whole lot of different information about user behavior, including to figure out their passwords.
There is no solution. Is it necessary?
Researchers have notified mobile browser manufacturers about the problem, but none of them have yet figured out how to solve it once and for all. Mozilla and Apple have presented a partial solution, but it does not help in all cases.
There is, of course, a radical way - to abandon sensors in smartphones altogether or force all sites and mobile applications to request permission to access each of them. But it is unlikely that any of the manufacturers will agree to this.
As an interim protective measure, Dr. Mernejad and her colleagues suggest that users change their passwords and PINs frequently to prevent malicious scripts from detecting regular patterns, close any applications that are not currently in use, and uninstall those that are no longer needed, regularly update the software on your mobile device, do not install unverified applications from unofficial stores, and also check all the permissions that mobile applications request during installation.
However, not all experts agree that this threat deserves attention at all. “The fact that JavaScript can connect to sensors without asking permission raises questions,” comments Georgy Lagoda , technical director of the Security Monitor company . — If we are talking about iOS, then the system stops the browser at the moment when the user launches the banking application on the smartphone. In addition, different applications have completely different PIN input formats: some are numbers, some are full-fledged mobile device keyboards . This is not to mention the different resolutions and orientation of the device at the current moment. Well, and then, how will this malicious script distinguish whether the user is entering a password or just playing a toy?”
“As for the possibility of introducing such a script into a separate application, this option with iOS will most likely not work at all, and it is very unlikely that it will be able to last long in the official Google Play. I would not overestimate the threat from this script,” adds Lagoda.
(c) https://safe.cnews.ru/news/top/2017-04-12_lyuboj_iphone_mozhno_vzlomat_cherez_novuyu_dyru
Watch your fingers
Security researchers from Newcastle University in the UK published a paper in the Journal of Infermation Security that described the ability to track user gestures on smartphones. To do this, you only need a small JavaScript application that exploits the device's motion sensor programming interfaces ( APIs ) .
According to the authors of the study, this application can collect enough information from sensors to figure out the unlock combination on the first try in 70% of cases. On the third try, the PINlogger.js script “guesses” the PIN in 94% of cases.
“Most smartphones, tablets and other wearable devices today are equipped with a variety of sensors, ranging from the well-known GPS modules, cameras and microphones to gyroscopes, range and rotation sensors, accelerometers, and NFC modules . Because mobile apps and websites don't require special permissions to access most of them, malware can secretly spy on your sensor data streams and use it to obtain a wide range of sensitive information about you, including call duration and physical activity. and even... about PINs and passwords,” the researchers said in their publication.
And that is not all
As the head of the research group, Dr. Maryam Mehrnezhad , noted in a press release , her colleagues were able to find out that in several mobile browsers, malicious code embedded in one page can monitor all user actions on all other tabs. That is, for example, if a resource containing a malicious script is open in one tab, and a bank authorization page is open in another , then the script can still intercept user-entered data. Sometimes closing the “malicious” tab will help prevent this, sometimes only closing the browser entirely.
Today, smartphones are equipped with an average of 25 different sensors . Websites and third-party applications ask the user for permission to use only a small part of these sensors - camera, microphone , GPS and a few others. The remaining sensors are used in the background without the users knowledge.
In this case, each touch of the user’s fingers on the touchpad on the device’s display is recorded as a unique data stream, including information about the orientation and movement of the device in space.
"It's like putting together a jigsaw puzzle - the more pieces you put together, the better the overall picture becomes clear," said study co-author Dr Siamak Shahandashti . - Depending on how we type on a smartphone - holding it in one hand and using only the thumb of the same hand or the fingers of the other; Whether you simply touch or swipe the screen, the device will tilt in one direction or another, and gradually it becomes very easy to notice the patterns of its movement associated with regular “touch signatures.”
According to Shahandashti, different sensors can provide a whole lot of different information about user behavior, including to figure out their passwords.
There is no solution. Is it necessary?
Researchers have notified mobile browser manufacturers about the problem, but none of them have yet figured out how to solve it once and for all. Mozilla and Apple have presented a partial solution, but it does not help in all cases.
There is, of course, a radical way - to abandon sensors in smartphones altogether or force all sites and mobile applications to request permission to access each of them. But it is unlikely that any of the manufacturers will agree to this.
As an interim protective measure, Dr. Mernejad and her colleagues suggest that users change their passwords and PINs frequently to prevent malicious scripts from detecting regular patterns, close any applications that are not currently in use, and uninstall those that are no longer needed, regularly update the software on your mobile device, do not install unverified applications from unofficial stores, and also check all the permissions that mobile applications request during installation.
However, not all experts agree that this threat deserves attention at all. “The fact that JavaScript can connect to sensors without asking permission raises questions,” comments Georgy Lagoda , technical director of the Security Monitor company . — If we are talking about iOS, then the system stops the browser at the moment when the user launches the banking application on the smartphone. In addition, different applications have completely different PIN input formats: some are numbers, some are full-fledged mobile device keyboards . This is not to mention the different resolutions and orientation of the device at the current moment. Well, and then, how will this malicious script distinguish whether the user is entering a password or just playing a toy?”
“As for the possibility of introducing such a script into a separate application, this option with iOS will most likely not work at all, and it is very unlikely that it will be able to last long in the official Google Play. I would not overestimate the threat from this script,” adds Lagoda.
(c) https://safe.cnews.ru/news/top/2017-04-12_lyuboj_iphone_mozhno_vzlomat_cherez_novuyu_dyru
