Developed a script to steal a PIN code through a smartphone browser

Different input methods affect the angles of inclination, but the neural network recognizes the PIN code anyway after the data is collected by the script

As you know, a multitude of sensors are installed in any smartphone - GPS, light, orientation sensors, movement, and about 20 sensors - all of them continuously provide data so that the smartphone can interact with the surrounding physical world. Developers have several ways to access information from these sensors, including through a mobile browser, according to the official Javascript API .

This method opens up a wide field of possibilities for remote hacking. For example, specialists from the School of Computer Science at the University of Newcastle developed the PINlogger.js script, with the help of which a browser can be used to determine which buttons a user presses on the on-screen keyboard. The script reads information from the tilt sensors of the mobile device with each press. Surprisingly, in some browsers (Safari), the script launched in the browser continues to collect data even from the locked screen. Similarly, it works if you type a password in the online banking on the adjacent tab without closing the previous tab.

This method is suitable for stealing a PIN-code both through a malicious website with a script, and from any mobile application that has access to information from sensors. The accuracy of recognition of PIN numbers is quite high. The four-digit PIN is recognized on the first attempt with a probability of 70%, with the second - 86%, with the third - 94%, and on the fifth attempt - with a probability of 98% for different users or 99% for one user.
')

Attack vectors from neighboring tabs (b) work only in Chrome and Dolphin under iOS, and the attack from frame (a) works in all popular browsers, including Safari, Chrome, Firefox, Opera and Dolphin

For the practical demonstration of the attack, a special interface was developed for entering four-digit PIN codes. The client part sent readings of orientation and motion sensors to the server. The server part was implemented on Node.js, and the sensor readings were stored in the MobgoLab database.

In this demonstration, it was easy for researchers to identify keystroke events using the onkeydown event. The authors of scientific work note that a similar approach is used in other programs for assembling PIN codes for information from sensors, such as TouchLogger and TapLogger . If it is necessary to detect clicks on a locked screen, then a more complicated scenario of segmentation of sensor data may be needed to isolate the necessary data fragments. For example, this can be done by measuring the peak amplitudes of the signal and using additional sensors, as shown in previous scientific papers . The code for data entry is published on GitHub .

The database accumulates information about clicks and sensor readings at the time of clicking. Each of 10 volunteers five times entered 50 four-digit PIN codes (a total of 2488 correctly entered PIN codes). This dataset was then used to extract features and then train the neural network (70% of the data was used for training, 15% for testing and 15% for testing).

Judging by the results of the comparative tests, PINlogger.js recognizes PIN codes from the motion sensor information much better than previous similar developments. In addition, this is the first system to steal PIN codes through a browser, and not through an application installed in a smartphone.



Researchers point out that most users do not realize the danger of personal data leakage by removing data from sensors. A user survey showed that most of them see a threat in the GPS or in the camera, and not in what constitutes a more real threat - in the internal motion, tilt and other sensors. The number 25 is not given randomly: it was the number of sensors that the researchers counted in a standard smartphone. The diagram below shows the survey results - in which of the 25 sensors do users see the greatest threat.



Users are not only not aware of the threat. Many do not even understand what kind of information collects most of the 25 sensors. People did not even hear about some sensors.



The problem is that this information is not protected at the operating system level. It is easily accessible both for applications and for any sites through browsers - without permission. Only a few sensors require explicit permission to provide information, including the camera and GPS. The rest provide information completely open.

Using this open data, you can not only collect PIN codes and passwords, but also keep track of the user. Any site can determine when a person takes a call and hangs up,



... when a person is sitting, walking or running.



Again, all this information is available to any site and any application without any permission. Sites get it using standard JavaScript.

Security professionals and the largest players in the mobile industry are well aware of this security issue, but so far they have not come to a common opinion how to solve it.

The scientific work was published on April 7, 2017 in the journal International Journal of Information Security (doi: 10.1007 / s10207-017-0369-x), in the public domain.