Sensing Steps, And Perhaps Your PIN
Accelerometers and motion sensors in your smartphone allow it to do some pretty neat things, like count your steps for the day, or control a game just by tilting the phone. But writing this week in the International Journal of Information Security, researchers explain that under the right conditions those sensors could be a security threat. While phone operating systems generally require users to give permission for apps to access sensors such as the phone’s cameras and microphones, the accelerometer readings aren’t as protected. That means that a crafty app, or even a web page left open, could be able to monitor the phone’s position—and in doing so, could gather enough information about where you’re pressing on the screen to get clues to your PIN or other access codes. Maryam Mehrnezhad, one of the authors of the report and a Research Fellow in Computing Science at Newcastle University in the UK, joins Ira to talk about the research and how you might be able to better protect your private information.
Maryam Mehrnezhad is a research fellow in the School of Computing Science at Newcastle University in Newcastle Upon Tyne, UK.
IRA FLATOW: Now it’s time to play Good Thing, Bad Thing.
Because every story has a flipside, modern smart phones come with a whole suite of sensors. They can count your steps. They can know when you’re tilting your screen. But those sensors come with a down side. Writing this week in the International Journal of Information Security, researchers explain that under the right conditions, these sensors could be a security threat. Joining me now to talk about it is one of the authors of that paper. Maryam Mehrnezhad is a research fellow in computing science at Newcastle University in Newcastle upon Tyne in the UK. Welcome to Science Friday.
MARYAM MEHRNEZHAD: No problem. Thanks for having me.
IRA FLATOW: You’re welcome. You made a demonstration program that can monitor the accelerometers on an Android phone?
MARYAM MEHRNEZHAD: Yeah, well, basically, it’s not only on Android phone. It could be on any mobile phone because it’s where the web browser so as long as you open any web browser on any devices, it could– the program can work.
IRA FLATOW: So you say you have your phone open. You have it– you have the web browser on it, and you’re moving your finger around on the screen, and the program can detect where your finger is going?
MARYAM MEHRNEZHAD: Yeah, basically, from– the sensor measurements coming from motion and orientation. We have developed a program here which can identify if you have been scrolling down, up, right, or left, if you’ve been zooming in and out, or even if you have entered a PIN, for example.
IRA FLATOW: Wow. Could it know where on the screen you press to know what PIN number you were putting in?
MARYAM MEHRNEZHAD: Yes, that basically works based on the way that you hold your phone and those various slide changes when you press a digit.
IRA FLATOW: So did you try to figure out what the likelihood of someone using is to crack a phone might be?
MARYAM MEHRNEZHAD: Well, basically, as I explained, if the code is already loaded in the web page that you open and we can use machine learning algorithms and then we can– base on processing and analyzing the essential data, we can output the PIN that you have pressed on the phone.
IRA FLATOW: Now, how accurate is that?
MARYAM MEHRNEZHAD: With the algorithms that we have, it could be over 70% accurate in the first try. And it goes up to 100% in the fifth try.
IRA FLATOW: Wow. So if your phone has a lockout, let’s say, after 10 tries, then chances are if you get up to the fifth try, you could get in there before getting locked out?
MARYAM MEHRNEZHAD: Yeah, well, basically, the sensors can provide us– or the hackers read much more than people would think.
IRA FLATOW: Wow, so tell me, what do you mean “much more?” How much more?
MARYAM MEHRNEZHAD: Because these sensors are very accurate so they can figure out very slight changes that happen under the device, so it could reveal a lot of information about the users as we proved, PIN, touch actions, and all sorts. People know about all of these fitness trackers. If you are sitting, walking, running, and all of those other physical activities.
IRA FLATOW: So I guess the point is if you can do it, then the hackers can do it.
MARYAM MEHRNEZHAD: Well, I think so.
IRA FLATOW: And people notice when the phone asks for permission to access the camera or the address book. So is the answer here just to make it ask for permission to access the sensors, too?
MARYAM MEHRNEZHAD: Well, that could be the simplest thing that comes to our mind, but the thing that we have listed over 25 different sensors on the current smart phones. It could be very unusable for the users to get notifications for each single user every time that they open a web application or when they install an app. So it’s a battle between security and usability, really.
IRA FLATOW: Once again. So what is there to do, Dr. Mehrnezhad? What should people do to better protect their security?
MARYAM MEHRNEZHAD: Well, at the moment, we are working with the industry to figure out what we can do to provide in the platform side, but people always can improve their security and privacy via the general security advice that we have for them. For example, they can make sure that they change their PINs and passwords regularly. And if you don’t need any app or browser window, don’t leave it open in the background and just close it. And you can also uninstall the apps that you no longer need. Also keeping up with your operating system would help all the time and installing applications from approved app stores would help as well.
IRA FLATOW: Maryam Mehrnezhad is a research fellow in computing science at Newcastle University, Newcastle upon Tyne, UK. Thanks for being with us.