Working a Smartphone Against Itself

Monday, November 18, 2013 @ 06:11 PM gHale

A new program called PIN Skimmer allows its creators to correctly guess a high proportion of the passwords using the smartphone’s camera and microphone.

When selecting from a test set of 50 4-digit PINs, PIN Skimmer correctly infers more than 30 percent of PINs after 2 attempts, and more than 50 percent of PINs after 5 attempts on android-powered Nexus S and Galaxy S3 phones, according to its University of Cambridge creators. When selecting from a set of 200 8-digit PINs, PIN Skimmer correctly infers about 45 percent of the PINs after 5 attempts and 60 percent after 10 attempts.

BlackBerry Fixes Vulnerabilities
Android Fixes Third ‘MasterKey’ Bug
BlackBerry Patches Smartphones, Tablets
Users Don’t Secure Android Devices

The team discovered PIN Skimmer could identify PIN codes entered on number-only softpads by using the camera on the device to monitor the user’s eye movements as they enter their code, the researchers said. Also, the microphone could work to detect “touch events” like the clicking sound made as the user enters their PIN on the touch screen.

The team wrote a paper in order to raise awareness of side-channel attacks on smartphones. They took the approach the device had already been infected with malware that was then attempting to learn the PIN.

The university team then set out to see how effective an attack could be and, also, how PIN length may affect the likelihood the code could end up correctly guessed.

Mimicking a typical piece of malware, stealth was a key feature in the design.

The researchers ran image processing algorithms remotely to minimize battery drain, something that could alert the user that an unauthorized program was running.

An API exposed by the Android operating system was able to disable the LED that switches on in some handsets when the camera is in use.

Photos and video taken by PIN Skimmer ended up saved to the phone but the file sizes were limited to 2.5MB to reduce detection. A real piece of malware could likely hide such files from view completely. Likewise, the research team said they could hide from the user the sending of data back to the remote server.

Additional network charges is another problem connected with transmitting data. Many smartphone users are on tariffs that charge them additional fees should they use more than a pre-determined amount of data within any monthly period. To that end the report suggested that a real-life Trojan would probably report back to its control center only when it detected a free WiFi connection within range.

The researchers discovered, contrary to what you may think, longer PINs were actually easier to crack than shorter ones. This unexpected result was because longer PINs actually gave the program more information to work with which increased its accuracy.

“Our work shows it’s not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you’d better lock down the video camera, and the still camera too while you’re at it,” said Professor Ross Anderson, a co-author of the report.

As for mitigating the risks posed by such an attack, Anderson suggested questions as to which resources should remain accessible during PIN entry, though he did note how disabling some functions, like the speakers, could cause extreme problems to the usability of the device.

For instance when a call comes in, the user needs to hear the ring tone while unlocking his phone; otherwise he may assume the caller has hung up.

Instead, he said that whitelists may be the answer – denying use of all resources during PIN entry, unless explicitly authorized.

Leave a Reply

You must be logged in to post a comment.