- Researchers have found a way to figure out
what personal identification number, or PIN, someone is
typing into their smartphone by using the device's built-
in cameras and microphones to secretly record them.
Smartphones are handling an increasing amount of
sensitive financial information, with banking and
payment apps and other features that turn phones into
full-featured mobile wallets. That makes mobile devices
a ripe target for cybercriminals.
In a paper published Thursday, security researchers at
the University of Cambridge detailed how they exploited
the smartphone's camera and microphone to detect
PINs and gave some suggestions for making this type of
hack more difficult.
This type of malware doesn't exist in the wild just yet.
The PIN Skimmer program was created by Cambridge's
Ross Anderson and Laurent Simon. The idea is to
identify potential security holes before they can be
exploited by criminals. In tests, the PIN Skimmer had a
30% success rate detecting four-digit PINs after
monitoring a few attempts, and that number went up
after it grabbed information over five tries.
Group claims to have hacked finger-print sensor on
iPhone 5s
First, the microphone detects that a person is entering a
PIN. On many apps, the device will vibrate each time a
number is tapped. That vibration creates a sound that is
picked up by the microphone, which lets the malware
know that a "touch event" is happening -- in this case it
is the entering of a secret PIN.
Then the camera takes over. The camera isn't looking
for reflections in your eyes or triangulating what
numbers you're looking at while typing in the code. The
researchers use the camera to detect the orientation of
the phone and determine where the user's finger is on
the screen. On-screen keypads typically display number
in a standard order, so if the program can tell where a
finger is tapping on the screen based on how the person
is holding it, it can deduce what number is there. In
their example, researchers assume people are holding
their phones with one hand and typing in numbers with
their thumb.
Opinion: Your smartphone is hackers' next big target
The malware captures some photos and a few seconds
of video and uploads them to a remote server, evading
detection by hiding any data usage charges by possibly
waiting for the phone to have a WiFi connection.
Depending on the phone, it could take some additional
precautions like disabling any LED light that would let a
person know their smartphone camera was recording.
The researchers tested the program on the Galaxy S3
and Google Nexus Android phones.
In the past, security researchers have warned that
criminals could use other phone sensors like the
accelerometer and gyroscope to puzzle out what
someone is typing. The paper sug
0 comments:
Post a Comment