Attacks can use open sensor data to guess your phone's PIN, 99 per cent of the time

A lack of permission requirements means that sensor data is open to any app that wants it

Smartphone PIN codes are, most people acknowledge, a necessary evil; they're an extra step to take before getting to your phone's key functions, but they also protect your data. Or do they?

According to research by a team at Nanyang Technological University (NTU) in Singapore, hackers can use ‘easily-accessible' information from a phone's sensors to determine a PIN code - and the method is successful more than 99 per cent of the time.

The team used a combination of data gathered from six different sensors, such as the accelerometer and gyroscope, with machine- and deep learning algorithms. They were able to unlock Android phones (using one of the 50 most common PIN numbers) within just three tries, with 99.5 per cent accuracy.

Before NTU's work, the previous best record was 74 per cent accuracy. This new technique, says the team, can be used to guess all 10,000 possible combinations of four-digit PINs.

The work is based on data gathered by the sensors, such as the light blocked by a finger when it is over the screen and which way the phone has been tilted. The researchers can use that information to model which numbers make up the pass code.

"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different, said team leader Dr Shivam Bhasin. "Likewise, pressing 1 with your right thumb will block more light than if you pressed 9."

Using these sensors requires no permissions to be given by the phone user; they are openly available for all apps to access. The team built a custom app and installed it on the phones to collect the data that they needed.

Professor Gan Chee Lip, director of the Temasek Laboratories at NTU, said: "This has significant privacy implications that both individuals and enterprises should pay urgent attention to."

The classification algorithm used utilises deep learning to increase success rates. While a malicious app using the same approach might not be able to correctly guess a PIN immediately after being installed, over time it would gather enough data to enable an attack.

Bhasin said that mobile operating systems should restrict access to the sensors used in the future. He added that using PIN codes with more than four digits, as well as other methods like biometrics or two-factor authentication, would increase security.