Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,060
- Points
- 113
A research team from Nanyang Technological University has once again demonstrated that smartphones running Android and iOS share a common fundamental problem. The fact is that any application (including malicious ones) can access the sensor data of a modern smartphone, without any restrictions and permissions. As a result, this information can be used by intruders, for example, to brute-force a PIN.
To prove their point of view, experts created a special Android application that was installed on test devices. At first glance, the application did nothing wrong, it just collected data from six sensors in the background: an accelerometer, a gyroscope, a magnetometer, a barometer, proximity and ambient light sensors.
The algorithm developed by the researchers processed the information collected by the application and, on its basis, distinguished the pressing of certain keys on the on-screen keyboard of the device. The algorithm was guided by the angle of inclination of the smartphone, and also took into account the changes occurring with external lighting, during the movements of the user's fingers while typing the PIN-code.
During testing, the experts worked only with sensor data obtained during 500 random PIN-codes, which were provided by three participants in the experiment. Based on these test patterns, the algorithm was able to find the correct four-digit PIN with 99.5% accuracy on its first try, working with a list of the 50 most common PINs. The algorithm's accuracy dropped to 83.7% when he was offered a list of 10,000 PIN codes and was given 20 attempts each. At the same time, the researchers assure that this methodology can be easily adapted to work with longer PIN-codes. Moreover, the more data an application collects, the better the algorithm “adapts”.
It is worth noting that the specialists of Nanyang Technological University are far from the first information security experts who paid attention to this problem. The discussion that applications do not ask users for any permissions and can freely access device sensors has been going on for a long time. For example, a similar study in April this year was presented by analysts from the University of Newcastle, and in September a research group from Princeton University conducted an experiment and found that it is possible to track the user's geographic location using sensors, even if GPS is turned off.
In all these cases, experts urge Apple and Google developers to do a very simple thing: to solve this problem, it will be enough to oblige applications to notify users about the use of specific sensors, and also to make it mandatory to request permission for such activity.
