PINs and passwords can be stolen just by watching the way a phone tilts, scientists find

Malicious apps can take the simple movement and work out how to access people's most private details

Andrew Griffin
Tuesday 11 April 2017 00:05 BST
Comments
An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016
An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016 (Reuters)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

People's passwords could be exposed with just a tilt of their phone, according to a new study.

Research from Newcastle University shows that PINs and passwords can be found just by watching how a phone moves when it is being held. And they warn that same information could be used by malicious websites and apps, to gain access to the most personal parts of people's lives.

In the study, researchers were able to guess a password just by watching the movement of a device. They had 70 per cent accuracy on the first guess, and 100 per cent by the fifth.

And there appears to be no easy way of solving the issue, which could compromise the smartphones and tablets that contain much of our personal lives.

Lead author Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer.

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."

The sensors needed are in most phones. But there is no uniform way of managing them, and so no easy way to solve them, according to the findings in the International Journal of Information Security.

Dr Mehrnezhad said: "More worryingly on some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding.

"So people were far more concerned about the camera and GPS than they were about the silent sensors."

All of the major browser providers, like Google and Apple, have been informed of the problem, the researchers said. But none has been able to come up with a way of keeping passwords secure.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in