Smartphone security PINs, patterns, and the like being potentially compromised by sensors is not an entirely new concept, but the same team of researchers that conducted an earlier study about the user perception of such risks has published a white paper detailing a browser exploit they developed called PINLogger. The Javascript-based exploit is able to run surreptitiously in most mobile browsers, and achieve a shocking 99% PIN guessing accuracy rate by the time the same user is recorded inputting their PIN a 5th time, on average. As a bonus, the white paper provides some more information on user perception and actual security risk, as well as explaining how PINLogger and potential exploits of its type work.
PINLogger is what’s called a drive-by exploit. It installs and starts acting in the background without a user’s knowledge, and leaves little enough trace of itself that all but the most astute users won’t notice it at all, and even that crowd is highly unlikely to notice anything amiss in normal day to day usage. The exploit makes use of a smartphone’s different sensors, particularly those tied to motion. The exploit’s backend is actually based on a machine learning model trained by study participants. They were given random 4-digit PIN codes to enter into a loaded Nexus 5 being used as a test device, and with researchers’ help, the program “learned” how to properly extrapolate such data. Even on the first try, the exploit, when running at full steam with access to all the sensors it needs, can hit up to 74% accuracy. Since the exploit can run as long as the host browser is left in memory, anybody who has a phone with a decent amount of RAM and isn’t a habitual task closer could potentially be at risk, if such an exploit made its way into the wild.
In the paper, they also go over their test demographic to show that while it may be small, it is somewhat wide, and a decent representation of smartphone users on the whole. In general, as shown before, there are plenty of risky smartphone sensors that some users are barely aware of, let alone aware of the risks of. The central sensor hub in a device was the most misunderstood, with only 2% of users saying they knew how it worked, while less than half of participants were even aware of its existence. Between research like this and other unique exploits, it’s becoming increasingly clear that the state of security in consumer smart devices does not begin and end with traditional hacks and exploits.
