Studies have shown that hackers can guess the user's password by tilting the phone when the user enters the password.
A team of computer scientists at Newcastle University has developed a way to guess the password of a user's mobile phone: they obtain the information collected by the built-in gyroscope device of the user's smartphone, and the probability of guessing the password on the first try is as high as 70%, after five attempts The hit rate is 100%.
The theoretical hack exploits a vulnerability in smartphones that requires mobile browser apps to share data with them. When the mobile phone uses sensitive information such as geographic location, a pop-up window will ask the user for authorization. Once the user authorizes, the website can read any authorization information of the user. Malicious websites can also do this to obtain seemingly innocuous information, such as the orientation of a handheld device, without the user's knowledge.
Professor Maryam Mehrnezhad, Research Fellow at Newcastle University's School of Computer Science, said: "Most smartphones, tablets and other wearable devices are now equipped with a large number of sensing devices, from the familiar GPS navigation systems, cameras and microphones, to gyroscopes, rotation sensors accelerometers and accelerometers.”
"But since most applications and websites on mobile devices do not require user authorization to obtain private information, malicious programs can access data from various sensing devices and use this data to discover sensitive information about users, such as phone calls Duration, activity, even various passwords,” Mehrnezhad explained.
At present, when websites use functions such as geographic location information, camera and microphone, they will require user authorization, because these information are considered sensitive information, but data such as the tilt angle of the mobile phone and the size of the mobile phone screen are generally not considered sensitive information. will be shared with all websites and apps that send sharing requests.
But mobile phone users shouldn't worry too much about hackers using this technique to break into their devices, the research team members said, because the attack method has technical barriers that limit its use in everyday life.
To achieve the aforementioned 70% accuracy, hackers need to conduct a lot of "training" on the system, that is, provide enough user behavior data. Even to guess a simple 4-digit password, the researchers required the mobile phone user to enter 50 sets of known passwords, five times for each set, so that the system could learn the user's habit of shaking the phone and improve the accuracy of guessing the password to 50%. 70%.
Since there are different ways of using the built-in sensor devices in mobile phones in the industry, even if the above research exposes security vulnerabilities, it is difficult for manufacturers to give corresponding countermeasures.