6 Comments

Summary:

Researchers at the University of Cambridge have demonstrated an attack that can reveal the PIN codes for sensitive apps, such as those for banking, by tapping into the device’s microphone and camera.

Front facing camera

Correction: This article originally said the user’s eyes were what gave away the code, but it is in fact the orientation inferred from captured images that does so.

Researchers at the University of Cambridge have come up with an ingenious way of revealing the PIN codes for sensitive applications running on smartphones – listening for the sound of virtual buttons being pressed, and watching the user’s face as he or she types in their code.

Smartphone security has come quite a long way in recent years. Look at Samsung’s enterprise-friendly Knox system, for example. Knox, which is available for phones such as the Galaxy S4, uses an ARM technology called TrustZone that effectively involves two operating systems – one for normal apps and one for sensitive apps, such as those for banking. The idea is to keep sensitive apps safe from the nastiness that might come with some dodgy app downloaded to the standard OS.

The problem is, those separate OSs share a lot of sensors, including the camera and microphone. Here’s your attack vector – or rather, as the number of sensors in a typical handset continues to increase, a bunch of them.

Previous research has already demonstrated that a handset’s accelerometer and gyroscope can be used to infer what is being typed on it – a so-called “side channel” attack. Now, in a paper published on Thursday by Ross Anderson and Laurent Simon of the University of Cambridge, we learn that the camera and microphone also provide potential ways in for ne’er-do-wells, assuming they’ve managed to get their malicious app onto the device beforehand.

Here’s how the authors explained the attack (PDF), which they have implemented in a mocked-up system called PIN Skimmer:

“By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.”

Smartphone attack

How successful is PIN Skimmer? In a test set of 50 4-digit PINs, the app (which has a server-side component for image-processing, so as to avoid suspiciously running down the battery) correctly guessed more than 30 percent of PINs after a couple of attempts, and over half after 5 attempts. Obviously longer PINs help, but even with 8-digit codes, PIN Skimmer still worked out around 45 percent after 5 attempts.

This should be of concern to the developers of banking apps and the like, although there’s not a lot they can do about it. The Cambridge researchers suggested that OS designers implement a whitelist for sensors rather than leaving them all active all the time – this would mitigate the risk by denying access to all shared hardware resources “except those explicitly allowed,” though I’d imagine it would conflict with recent features introduced to smartphones, such as always-on microphones.

Another option, of course, is to stop using PIN codes. Identity could instead be confirmed through the use of biometrics (although that introduces different risks), and the researchers also note that secondary devices such as smart watches could act as secure ID when brought together with the handset.

  1. Just present the pin pad keyboard in random patern. Problem solved.

    Share
    1. excellent.

      Share
    2. David and the researchers are idiots… Just randomize like you said… Sheesh

      Share
      1. Thank you for your polite comment. If you had read the paper (linked in story) you would have seen that the researchers noted but rejected the randomisation solution, writing that it would “cripple usability on phones”. I do recommend reading the paper. You’ll find that bit on page 10.

        Share
  2. ReadTheFinePrint Monday, November 11, 2013

    ” Last but not least, we wish to thank Samsung for sponsoring this project.”

    Explains the call out for Knox as an example of TrustZone and the suggestion for smart watches bought with the phone as a way to protect against this malware…

    Or maybe use a phone OS that uses TrustZone in a way that doesn’t share access to sensors with the non-secure parts of the OS and which protects against malware that can hijack the camera and microphone.

    Share
  3. but one thing is confusing me, who will install the PIN SKIMMER??? I mean How my phone can get unsecured with this software, if I am not installing it??

    Sorry if this question sounds silly to you??

    Kabir

    Share

Comments have been disabled for this post