Nav: Home

Are your sensors spying on you?

April 10, 2017

Hackers are able to decipher PINs and passwords just from the way we tilt our phone when we are typing in the information.

Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess - 100% by the fifth guess - using just the data collected via the phone's numerous internal sensors.

Despite the threat, the research shows that people are unaware of the risks and most of us have little idea what the majority of the twenty five different sensors available on current smart phones do.

And while all the major players in the industry are aware of the problem, no-one has yet been able to find a solution.

Publishing their findings today in the International Journal of Information Security, the team are now looking at the additional risks posed by personal fitness trackers which are linked up to our online profiles and can potentially be used to interpret the slightest wrist movements as well as general physical activities such as sitting, walking, running, and different forms of commute.

Dr Maryam Mehrnezhad, a Research Fellow in the School of Computing Science and lead author on the paper, explains:

"Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

"More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors."

Access without permission

Sensors are now commonplace in smart devices and are largely responsible for the boom in mobile gaming and health and fitness apps, and soon in all devices in the Internet of Things (IoT).

The data provided by them combined with the growing computational ability of mobile phones and tablets has transformed the way we use them.

In total, the team identified 25 different sensors which now come as standard on most smart devices and are used to give different information about the device and its user. Only a small number of these - such as the camera and GPS - ask the user's permission to access the device.

The study found that each user touch action - clicking, scrolling, holding and tapping - induces a unique orientation and motion trace. So on a known webpage, the team were able to determine what part of the page the user was clicking on and what they were typing.

"It's a bit like doing a jigsaw - the more pieces you put together the easier it is to see the picture," explains Dr Siamak Shahandashti, a Senior Research Associate in the School of Computing Science and co-author on the study.

"Depending on how we type - whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it's quite easy to start to recognise tilt patterns associated with 'Touch Signatures' that we use regularly.

"So the internal sensors each provide a different bit of the jigsaw. Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat.

"Potentially, they are able to provide additional information which, when combined with this sensor data, will make it even easier to decipher personal information."

So are we able to protect ourselves?

The team has alerted all the major browser providers - including Google and Apple - of the risks but for the moment, says Dr Mehrnezhad, no-one has been able to come up with an answer.

"It's a battle between usability and security," she says.

"We all clamour for the latest phone with the latest features and better user experience but because there is no uniform way of managing sensors across the industry they pose a real threat to our personal security.

"One way would be to deny access to the browser altogether but we don't want to lose all the benefits associated with in-built motion sensors."

As the result of the research, some of the mobile browser vendors such as Mozilla, Firefox and Apple Safari have partially fixed the problem, but for an ultimate solution, the Newcastle team is still working with industry.

Dr Mehrnezhad, who together with her colleague and co-author Ehsan Toreini run the Cyber Security: Safety at Home, Online, In Life course, part of Newcastle University's series of MOOCs (Massive Open Online Courses), say there are some simple rules people should follow:
  • Make sure you change PINs and passwords regularly so malicious websites can't start to recognise a pattern.

  • Close background apps when you are not using them and uninstall apps you no longer need

  • Keep your phone operating system and apps up to date

  • Only install applications from approved app stores

  • Audit the permissions that apps have on your phone

  • Scrutinise the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed

###More information on how to stay safe can be found here: https://www.futurelearn.com/courses/cyber-security/2/steps/160839

Newcastle University

Related Sensors Articles:

Sensors detect disease markers in breath
A small, thin square of an organic plastic that can detect disease markers in breath or toxins in a building's air could soon be the basis of portable, disposable sensor devices.
Are your sensors spying on you?
Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites and installed apps can spy on us using just the information from the motion sensors in our mobile phones.
A novel method for the fabrication of active-matrix 3-D pressure sensors
A new study, affiliated with South Korea's Ulsan National Institute of Science and Technology (UNIST), developed a transistor-type active-matrix pressure sensor using foldable substrate and air-dielectric layer.
For female mosquitoes, two sets of odor sensors are better than one
A team of Vanderbilt biologists has found that the malaria mosquito has a second complete set of odor receptors that are specially tuned to human scents.
Optimized sensors to study learning and memory
Scientists at Max Planck Florida Institute for Neuroscience are working to understand how molecules send messages throughout the neuron.
Pioneering chip extends sensors' battery life
A low-cost chip that enables batteries in sensors to last longer, in some cases by over ten times, has been developed by engineers from the University of Bristol.
New sensors can detect single protein molecules
For the first time, MIT engineers have designed sensors that can detect single protein molecules as they are secreted by cells.
Contracts signed for ELT mirrors and sensors
At a ceremony today at ESO's Headquarters four contracts were signed for major components of the Extremely Large Telescope (ELT) that ESO is building.
Pain sensors specialized for specific sensations
Many pain-sensing nerves in the body are thought to respond to all types of 'painful events', but new UCL research in mice reveals that in fact most are specialized to respond to specific types such as heat, cold or mechanical pain.
3-D-printed organ-on-a-chip with integrated sensors
Researchers have made the first entirely 3-D-printed organ-on-a-chip with integrated sensing.

Related Sensors Reading:

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Climate Crisis
There's no greater threat to humanity than climate change. What can we do to stop the worst consequences? This hour, TED speakers explore how we can save our planet and whether we can do it in time. Guests include climate activist Greta Thunberg, chemical engineer Jennifer Wilcox, research scientist Sean Davis, food innovator Bruce Friedrich, and psychologist Per Espen Stoknes.
Now Playing: Science for the People

#527 Honey I CRISPR'd the Kids
This week we're coming to you from Awesome Con in Washington, D.C. There, host Bethany Brookshire led a panel of three amazing guests to talk about the promise and perils of CRISPR, and what happens now that CRISPR babies have (maybe?) been born. Featuring science writer Tina Saey, molecular biologist Anne Simon, and bioethicist Alan Regenberg. A Nobel Prize winner argues banning CRISPR babies won’t work Geneticists push for a 5-year global ban on gene-edited babies A CRISPR spin-off causes unintended typos in DNA News of the first gene-edited babies ignited a firestorm The researcher who created CRISPR twins defends...