By analysing the movement of a device as the keyboard was used, Cyber Experts at Newcastle University say they were able to reveal just how easy it is for malicious websites and apps to spy on users using the motion sensors in smartphones and tablets.
The team were able to identify 25 different sensors which are standard on most smart devices and could be used to give information about the user, and were able to crack four-digit Pins with 70% accuracy on the first guess and 100% by the fifth guess.
Apps and website do not need to ask users’ permission to access sensors, such as GPS, cameras and microphones, explained the lead author of the study, Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science.
This means malicious programs can “covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, Pins and passwords.” Dr Mehrnezhad continued.
They discovered that each touch action (clicking, scrolling, holding and tapping) created a unique orientation and motion trace; and if this was done on a known web page, a hacker would know what the user was clicking on and what they were typing. If this were to be done on an online banking website – passwords could be compromised.
The study went on to explain that despite the industry being aware of the problem, no solution has been found; partly because there is no uniform way of managing sensors across the industry.
In the study published this month in the International Journal of Information Security, the team also found that if one of the malicious apps or websites remains open in a tab, it can spy on the details you enter.
Dr Mehrnezhad pointed out that even when phones were locked – if the tab remained open it could still be collecting data.
The team will next be looking into the additional risks posed by personal fitness trackers that are linked to online user profiles.