Researchers at Newcastle University in the UK analyzed the movement of a smartphone while the keyboard is being used. They were able to crack passwords with 70% accuracy on the first guess, and 100% on the fifth attempt. This is just by using the data collected via smartphones' numerous internal sensors.
The study acknowledges that people are unaware of the risks and that most users have no idea what sensors actually do on a smartphone. Smartphones and tablets are equipped with a number of sensors like the GPS, camera, microphone, and less known ones like the gyroscope, compass, NFC, and accelerometer, among many others.
"But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords," said Dr. Maryam Merhnezhad, a Research Fellow in the School of Computing Science and lead author on the paper.
The study indicates that sensors have helped in the boom in mobile gaming and health and fitness apps, which will include those in the Internet of Things (IoT). Researchers found that every user touch action, such as clicking scrolling, holding, or tapping induces a unique orientation and motion trace. This makes snooping people able to determine what part of the page the user was interacting with, and what they were typing.
The team stated that they have alerted major browser providers like Google and Apple regarding risks, but so far, no one has reportedly been able to come up with an answer.
For more details, download Stealing PINs via Mobile Sensors: Actual Risk versus User Perception