Your smartphone camera could steal your PIN number, suggest researchers


posted Monday, November 11, 2013 at 8:30 PM EDT


It doesn't matter who you are, from the most tech-savvy person to the complete technophobe: Pretty much everybody these days is at least aware of the importance of passwords, even if we don't always take them as seriously as we should. But did you know that your smartphone could be spying on you when you enter a password, using its camera and microphone? That's the contention of security researchers at the University of Cambridge.

In a nutshell, what they've done in a proof-of-concept is to enable the smartphone's camera and then use it to track the phone's motion as the password is entered. Depending on where the user presses on the screen, the subtle motion that's produced will differ slightly, so if you can determine that motion from the camera, you can approximate where on the screen the user pressed. The microphone is used to pick up sounds of the presses, thus correlating them to the motion data. (And presumably, there's no reason other inputs couldn't be used as well, for example tying the phone's accelerometer into the loop to get higher-quality motion data.)

Malicious software on your phone could spy on you when entering a PIN number or password.

Once you know approximately where the user pressed, while you may not be able to accurately determine the password on the first try, the chore of guessing the password is greatly simplified. How much easier is it to guess the password with this technique? The researchers say that when given a set of 200 4-digit PIN numbers to guess, their proof-of-concept app -- dubbed PIN Skimmer -- could guess one third of the PIN numbers within five attempts. It seems somewhat counterintuitive, but increasing the length of the PIN number actually made it easier for PIN Skimmer to do its job, likely due to the greater motion data available to the app. With 8-digit PINs, more than 45% were guessed correctly within five attempts.

Counterintuitively, the PIN Skimmer tool does a better job of guessing longer PIN numbers.

Of course, there's no suggestion that the technique is already in use in the wild, but it's always safest to assume that's the case unless proven otherwise. What can you do to protect yourself, though? The answer is fairly straightforward: Don't share PIN numbers and passwords between accounts, and switch off inputs on your phone wherever possible. (You'll save some power by doing so, as well.) And it wouldn't hurt to cover the camera with your hand while you unlock anything where privacy is a concern.

You can get more details on the technique on the University of Cambridge's website, in a paper from researchers Laurent Simon and Ross Anderson.

(via GigaOM; Smartphone image is a composite of iPhone image courtesy of Robert Anthony Provost and iOS7 image courtesy of Kārlis Dambrāns, both via Flickr and used under a Creative Commons CC By 2.0 license.)