A JavaScript file secretly loaded without your knowledge on a site, or app you load on your mobile device, can access data from various sensors and collect information needed to guess the passwords or PIN a user is entering on his device.
This novel attack technique was discovered and explored by a team of scientists from the University of Newcastle in the UK, who say the script can collect data from around 25 sensors, which together, allow an attacker to infer what the user types on his device.
Not all sensors are restricted by OS permissions
The attack is successful because mobile operating systems do not restrict applications, such as browsers, from accessing all these sensors.
The current built-in permissions model asks users to grant an app access to sensors such as GPS, camera, or microphone, but not to data from the phone’s accelerometer, gyroscope, proximity, NFC, and rotation sensors.
Due to lowering costs, these sensors are now becoming a common feature in modern smartphones, but mobile operating systems are lagging behind.
Attack relies on malicious JavaScript code
The four-man research team wrote a JavaScript file called PINlogger.js which accesses these ungoverned sensors and logs sensor usage data.
If the user allows the browser or a tainted app to run in the background of his phone, while using another app, the PINlogger.js script will continue to collect sensor data. If at any point the user enters PINs or passwords, PINlogger.js records the data and sends it to an attacker’s server.
The more sensors the phone is equipped with, the more data the attacker has at his disposal to deduce what the user has typed.
“It’s a bit like doing a jigsaw – the more pieces you put together the easier it is to see the picture,” says Dr. Siamak Shahandashti, a Senior Research Associate in the School of Computing Science and one of the researchers that worked on the study.
Attackers can guess PINs with a high degree of accuracy
Just by listening to motion and orientation sensor streams, which do not require special permissions to access, researchers said that an artificial neural network they’ve trained was able to crack four-digit numerical PINs on the first try with a 74% accuracy based on the data logged from 50 user devices.
The accuracy grew to 86% and 94% when the neural network was allowed a second and third try, respectively. Further, the algorithm coould also be adapted to handle full alpha-numerical characters.
According to researchers, the entire point of their research was to raise awareness to the vast number of smartphone sensors which applications can access, and for which mobile OS vendors haven’t yet included in their standard permissions model.
Some browser vendors have implemented fixes
The research team has also filed bug reports with several browser vendors. Following the team’s reports, starting with Firefox 46 (April 2016), Mozilla has restricted JavaScript access to motion and orientation sensors to only top-level documents and same-origin iframes.
Similarly, starting with iOS 9.3 (March 2016), Apple implemented a similar restriction for Safari. The issue remains unresolved in Chrome.
In the future, researchers would like to see mitigations solutions at the OS level, rather than applications.
The full research paper was published today in the International Journal of Information Security, and is entitled “Stealing PINs via mobile sensors: actual risk versus user perception.” At the top of this article there is a video of PINlogger.js collecting sensor data from an iOS device.
Source:https://www.bleepingcomputer.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.