No matter how secure your smartphone is, its motion sensors could still be one of the weakest links hackers can exploit to access confidential information stored on your device.
A team of cyber experts from the UK's Newcastle University has demonstrated how malicious websites and installed apps can easily spy on you, and allow hackers decipher PINs and passwords from the way you tilt your phone to type in information.
As part of the research, the team used a JavaScript-based exploit to reveal user PINs on an Android mobile phone. Whenever a user visits a website controlled by an attacker, the exploit embedded in the web page starts tracking the motion sensors without the user's consent. By analysing these sensors, the exploit then infers the user's PIN using an artificial neural network.
According to the researchers, tracking the motion sensors as we type in information can help hackers steal four-digit PINs with 70 percent accuracy on the first guess, and 100 percent by the fifth guess.
Current smartphones are said to have up to 25 different sensors, but most of the users are unaware about the majority of them. Although leading smartphone companies know that the problem exists, no one has been able to find a solution so far, the researchers said.
The findings have been published in the journal International Journal of Information Security on Tuesday.
Here is what Dr Maryam Mehrnezhad, the lead author of the study, had to say:
Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.
But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.
More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.
And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.
Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.
The researchers said that they had informed major tech companies about the vulnerability. While Apple and Firefox have already fixed the loophole, Google said it is still looking into the matter.
The researchers now have expanded their study to include personal fitness trackers as wearable devices are also linked up to users' online profiles, and can be compromised by hackers to steal data.
"While the users are benefiting from richer and more personalized apps which are using these sensors for different applications such as fitness, gaming, and even security application such as authentication, the growing number of sensors introduces new security and privacy risks to end users, and makes the task of sensor management more complex," the researchers said.