Security experts from the Newcastle University, UK, revealed that the motion sensors built into modern smartphones can make PIN locks virtually useless, as malicious hackers could guess them in up to five tries, at most.
Avoid Using PINs, If Possible
Four- and even six-digit PINs are already trivial to brute-force with GPU-powered password cracking tools. This is why both Apple and Google have limited how many times you can input a PIN to unlock your phone in a given amount of time before you can try again.
The weakness of PINs--and the protection mechanism that Apple has employed in iOS because of it--was also at the core of FBI’s fight against Apple in the San Bernardino case. The law enforcement agency wanted to force Apple to remove those protections so it could easily brute-force the PIN protecting that iPhone’s encrypted storage.
However, according to researchers, the attack they discovered could mean that even that protection mechanism may not be enough anymore. Using the new technique, a malicious actor could guess anyone’s PIN 70% of the time with a single try, or 100% of the time in up to five tries.
If Apple or Google tried to reduce the number of attempts below five, using a PIN may become too cumbersome for smartphone owners, especially if they tend to forget it often. At that point, the companies may have to simply remove the PIN option from their device authentication options and leave only the more secure options in place.
How The Sensor-Based PIN Attack Works
Modern smartphones have plenty of sensors in them such as accelerometers, gyroscopes, barometers, rotation and proximity sensors, and so on. These sensors can be used in gaming as well as fitness applications, so they are quite useful to have in a device that everyone carries with them. However, as the Newcastle University researchers learned, they can also pose security problems unless proper protections are used to prevent abuse.
One of the problems the researchers identified is that only a small number of sensors, such as the GPS and camera sensors, require user permission. The rest can be activated without any action from the user.
This may be a design choice on Google and Apple’s part, because according to the Newcastle researchers, most smartphone users are only aware of the risks that may come from GPS tracking or the camera being remotely activated.
The PIN identification attack works because every touch action on a smartphone, including clicking, scrolling, holding, and tapping, creates a unique orientation and motion trace. An attacker who can gain remote access to that sort of information from the device could also create a profile for the PIN that a user enters on the device.
Alerting OS Vendors
The team of researchers from the Newcastle University alerted Google and Apple about these issues, but it doesn’t look like there will be a quick fix for this, because, as always, there’s a trade-off between security and usability. Requiring permission for every touch on the device is obviously impractical, but perhaps the two companies can find some other ways to further secure your actions from potential attackers.
Dr Maryam Mehrnezhad, who led the research on this issue, had a few tips you can follow if you decide to stick to a PIN on your smartphone:
- Make sure you change PINs and passwords regularly so malicious websites can’t start to recognise a pattern.
- Close background apps when you are not using them and uninstall apps you no longer need
- Keep your phone operating system and apps up to date
- Only install applications from approved app stores
- Audit the permissions that apps have on your phone
- Scrutinise the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed
If all of those suggestions seem like more trouble than they’re worth, you’re probably right. It may be best to stick to using stronger alternatives than PINs such as passwords, or fingerprint authentication, and forget about using PINs for anything.