Researchers have demonstrated that a malicious website or app could work out smartphone users’ PINs or passwords based just on the data collected by various motion sensors on modern mobile devices.
Motion sensor data is up for grabs
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer,” Dr Maryam Mehrnezhad, a Research Fellow in the School of Computing Science at Newcastle University, explained.
“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”
The same attack can be mounted through a malicious app.
Designing a mechanism for secure and usable sensor data management is a problem that remains to be solved.
“After many years of research on showing the serious security risks of sensors such as accelerometer and gyroscope, none of the major mobile platforms have revised their in-app access policy,” the researchers noted.
“However, we believe the implemented countermeasures should only serve as a temporary fix rather than the ultimate solution. In particular, we are concerned that it has the drawback of prohibiting potentially useful web applications in the future. For example, a web page running a fitness program has a legitimate reason to access the motion sensors even when the web page view is hidden. However, this is no longer possible in the new versions of Firefox and Safari. Our concern is confirmed by members in the Google Chromium team,16 who also believe that the issue remains unresolved.”
They believe a combination of approaches will ultimately do the trick.