According to the study authors, this app can gather enough information from the sensors below 70% of the time to find out the unlock pattern on the first try. On the third attempt the script PINlogger.js “guesses” PIN in 94% of cases.
“Most of the smartphones, tablets and other wearable devices today are equipped with many sensors, ranging from well-known GPS modules, cameras, and microphones to gyroscopes, sensors, range and rotation, accelerometer, and NFC-modules. Since mobile apps and websites do not need any special permissions to access most of them, and malware can secretly spy on the flow of data from your sensors and use them for a variety of important information about you, including about the call duration, physical activity and even… on PIN and passwords”, — says the publication researchers.
As noted in the press release, head of research group Dr. Mariam Mermiad, her colleagues found out that a few mobile browsers malicious code embedded in one page can monitor all user activity on all other tabs. That is, for example, if in one tab open a share that contains a malicious script, and the other with the login page of the Bank, the script can still intercept user input. Sometimes it will help prevent the closure of the “malware” tab, sometimes just closing the browser entirely.
Today, smartphones are equipped with an average of 25 different sensors. Websites and third-party apps ask you for permission to use only a small portion of these sensors — camera, microphone, GPS and some others. Other sensors used in the background without the knowledge of user.
With each touch of the fingers of the user to the touch panel on the display device is recorded as a unique data stream that includes information about the orientation and movement of the device in space.
“It’s like puzzles — the more pieces together, the more visible the overall picture,” said study co-author, Dr. Sahandelmi Siamak (Siamak Shahandashti). — Depending on how we tweet and text on a smartphone — holding it in one hand and using only the thumb of the same hand or the fingers of the other; or just touch the screen or swipe your finger over it, the device will tilt in one direction or another, and gradually it becomes very easy to notice patterns of motion associated with the regular “signature touch””.
According to Sahandelmi, various sensors may provide a total of a lot of different information about the user behavior, in order to calculate their passwords.
Researchers notified about the problem Apple and other manufacturers of mobile browsers. In iOS 9.3, the company implemented a solution to protect against this vulnerability. It is known that Mozilla has also provided a partial solution, which helps in some cases.
There is a radical way is to abandon the sensors in smartphones at all, or make all websites and mobile apps request permission to access each of them. But it is unlikely any of the manufacturers.
As an interim protective measure doctor Mermiad and her colleagues offer users to frequently change passwords and PURE you to malicious scripts are unable to identify regular patterns, close any applications that are not used at the moment, and uninstall those that are no longer needed, be updated regularly on a mobile device, don’t install unverified apps from unofficial stores, and check all the permissions that mobile apps request when you install.