Researchers at the University of Cambridge have warned that smartphone users’ personal identification number (PIN) can be disclosed by the devices’ camera and microphone.
As part of the research, the team carried out tests on the Google Nexus-S and the Galaxy S3 smartphones and used a programme dubbed PIN Skimmer to detect the codes typed on a number-only soft keypad.
University of Cambridge professors and report authors Ross Anderson and Laurent Simon said that recording video from the front camera during PIN input allows retrieving the frames that correspond to touch events.
"Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users," both said.
"We hope to raise awareness of side channel attacks on smartphones even when strong" isolation is used to secure sensitive input."
According to researchers, the software keeps an eye on the users’ face through the camera and eavesdrops to clicks via the microphone as users’ type.
Researchers revealed that the microphone allows detecting ‘touch-events’ as the device user inputs their PIN, while it can also effectively hear the clicks made by phone as the user presses the virtual number keys.
The mobile application gathers users’ touch-event’ orientation patterns and correlates it with PINs entered in a sensitive application.
During the research, the team was able to work out four-digit PINs for over 50% of the time after five attempts, and attained 60% success rate with eight-digit PINs following 10 attempts.
