Researchers have found a way to figure out what personal identification number, or PIN, someone is typing into their smartphone by using the device's built-in cameras and microphones to secretly record them.
Smartphones are handling
an increasing amount of sensitive financial information, with banking
and payment apps and other features that turn phones into full-featured
mobile wallets. That makes mobile devices a ripe target for
cybercriminals.
In a paper
published Thursday, security researchers at the University of Cambridge
detailed how they exploited the smartphone's camera and microphone to
detect PINs and gave some suggestions for making this type of hack more
difficult.
This type of malware
doesn't exist in the wild just yet. The PIN Skimmer program was created
by Cambridge's Ross Anderson and Laurent Simon. The idea is to identify
potential security holes before they can be exploited by criminals. In
tests, the PIN Skimmer had a 30% success rate detecting four-digit PINs
after monitoring a few attempts, and that number went up after it
grabbed information over five tries.
First, the microphone
detects that a person is entering a PIN. On many apps, the device will
vibrate each time a number is tapped. That vibration creates a sound
that is picked up by the microphone, which lets the malware know that a
"touch event" is happening -- in this case it is the entering of a
secret PIN.
Then the camera takes
over. The camera isn't looking for reflections in your eyes or
triangulating what numbers you're looking at while typing in the code.
The researchers use the camera to detect the orientation of the phone
and determine where the user's finger is on the screen. On-screen
keypads typically display number in a standard order, so if the program
can tell where a finger is tapping on the screen based on how the person
is holding it, it can deduce what number is there. In their example,
researchers assume people are holding their phones with one hand and
typing in numbers with their thumb.
Opinion: Your smartphone is hackers' next big target
The malware captures some
photos and a few seconds of video and uploads them to a remote server,
evading detection by hiding any data usage charges by possibly waiting
for the phone to have a WiFi connection.
Depending on the phone,
it could take some additional precautions like disabling any LED light
that would let a person know their smartphone camera was recording. The
researchers tested the program on the Galaxy S3 and Google Nexus Android
phones.
In the past, security
researchers have warned that criminals could use other phone sensors
like the accelerometer and gyroscope to puzzle out what someone is
typing. The paper suggests that apps or electronic wallets like
Trustzone take control of and disable all the available sensors when
entering a secure mode. Another suggestion includes randomizing where
the numbers appear on the screen.
Link to source: http://edition.cnn.com
No comments:
Post a Comment