Researchers at the University of Pennsylvania says accelerometer data could reveal PIN and lock codes on smartphones. There doesn’t seem much danger of hackers using the technique reliably in the real world, but Dr Adam Aviv says the investigation does raise issues about security settings on many major smartphone systems.
Aviv and his team investigated the hypothesis that when you type in a PIN or use a swipe pattern code to unlock your phone, it creates enough movement to be recorded by an accelerometer.
Their study involved 24 users typing in codes multiple times, creating a total of 9,600 samples. The researchers then used a specially crafted piece of software to analyze the accelerometer data and try to spot a pattern corresponding to a PIN or unlock code.
Among samples where the user had been stationary, the software was able to correctly identify the unlock code in five guesses or less in 73 percent of cases with swipe patterns and 43 percent of cases with PIN codes. There’s a major limitation here though: the system “knew” that each test only used one of 50 different codes, as opposed to the 9999 different possibilities with a real code.
The accuracy dropped when the user had been walking while inputting the code. Here the system got the right answer inside five guesses 40 percent of the time with swipe patterns and 20 percent of cases with PIN codes.
Another big limitation was that these statistics reflect that the system got more accurate the more times it looked at codes inputted by a particular user. The researchers concede that the different force with which different users type or swipe could make it hard for the system to maintain this accuracy with a fresh target.
In practical terms there seems to be very little danger here, simply for the fact that if somebody is able to access your accelerometer data without physically accessing your phone, they won’t have much need for the unlock code. But Aviv argues that his findings raise questions about the way that application access to accelerometer data isn’t always as tightly restricted as with the way apps can access data such as messages or location.
It’s not the first time researchers have tried to take such a physical approach to detecting unlock codes. A previous study suggested that it could be possible to photograph a phone screen and detect a swipe pattern because places the user touched the most often would reflect light slightly differently.