At a restaurant, you pull out your phone to check email.
Without even thinking about it, you tap in a PIN to unlock your phone.
Your back’s to the wall and nobody can see what you’re typing, so
there’s no reason to worry that somebody could intercept your passcode.
Except, sadly, there is. Researchers at Syracuse
University have demonstrated that hackers can guess PINs by analyzing
video of people tapping on their smartphone screens -- even when the
screen itself isn’t visible. Software used to analyze such video relies
on “spatio-temporal dynamics” to gauge the distance from the fingers to
the phone’s screen, and then approximate which characters the fingers
tap on a keypad. “It’s like lip reading,” says Vir Phoha, an engineering
and computer science professor at Syracuse and co-author of a
paper on the technology. “Based on hand movement and the known geometry of the phone, we can see which keys are pressed.”
There
don’t appear to be any known instances of hackers stealing PINs this
way, but technologists think it’s only a matter of time. “We believe
that it is very likely to be adopted by adversaries who seek to
stealthily steal sensitive private information,” Phoha and three others
Syracuse researchers
wrote in their paper,
published last year by the Association for Computing Machinery. The
technology is fairly simple for anybody familiar with programming, and
the exploding use of smartphones provides many millions of targets.
On
top of that, the increased use of phones for banking and managing other
financial accounts makes PINs a lucrative prize for hackers. And the
same video-analysis technology can be used to infer PINs punched into
ATMs, smart locks on the front doors of homes, garage door openers and
other gizmos requiring similar codes.
Used by the good guys, too
Publicizing
such black-hat technology through articles such as this one can
obviously tip fraudsters to possible new methods of ripping people off.
Security experts and some of their criminal foes already know about it,
however, since such research has been published in technical journals.
So Yahoo Finance decided it’s appropriate to alert consumers to this new
form of hacking. National security and law enforcement agencies could
also use it to keep track of bad guys; DARPA, the Pentagon’s technology
skunk works, for instance, partly funded the Syracuse research.
The
Syracuse experiments involved 50 volunteers typing PINs into HTC One
smartphones, in a variety of different settings and postures. For each
volunteer, researchers shot four different videos. The recordings were
made using two off-the-shelf devices: a Google Nexus 5 smartphone camera
and a Sony camcorder. All the videos were shot from the side or back of
the phone, from 12 to 15 feet away. None of the videos captured the
phone screen or explicitly showed what users were typing.
Software
filled in the gaps, however, with a combination of image analysis and
motion tracking algorithms being remarkably effective at “guessing” the
PINs users typed in. On the first guess, software determined the correct
password between 40% and 62% of the time, depending on the quality of
the video and the zoom ratio. The highest-quality video produced an 82%
accuracy rate after 5 guesses and 94% accuracy after 10 guesses. Using
more than one video for each phone raises the odds of success even
further.
“We can do it in
about 30 minutes once we capture the video,” says Phoha. “We have almost
100% accuracy.” This graph lays out the results of computer guesswork
for video shot using the Nexus smartphone and the Sony camcorder at zoom
levels of 2x, 4x and 6x:
Hackers
could shoot the necessary video without phone users ever noticing,
especially in busy settings such as a bar, restaurant, bus, train,
airport or shopping mall. Thieves have long nabbed people’s credit card
numbers or ATM PINs by “
shoulder snooping” during a transaction, or even looking on from a distance with
binoculars or a camera with a zoom lens.
So in a way, hacking via video—which can be done surreptitiously on a
smartphone while the perpetrator appears to be harmlessly tapping on the
screen—is nothing more than a new variation on an old theme.
There
are still several additional steps hackers would have to take to steal
or vandalize with a captured PIN. For starters, they’d have to crack
into separate bank or financial accounts. They might be able to do that
by stealing the phone, logging in with the hacked PIN and opening apps
that aren’t password protected because the user assumed the smartphone
PIN was protection enough.
Hackers
could also glean additional information about targeted individuals,
like email addresses and account numbers, and use those to log into
accounts. If acquaintances or work colleagues were the target, some of
that information might already be available. Since hackers already have
partial information on millions of consumers, a smartphone PIN could be a
crucial missing piece -- especially if it doubles as a passcode for
other accounts.
They'll eventually get lucky enough
The
odds of any one person getting digitally robbed in this fashion are
low, but hackers would probably get lucky often enough to make it worth
the trouble, since a lot of people use the same PIN for multiple
accounts and devices. On top of that, the same technology used to crack
4- to 7-digit smartphone PINs could be refined to decode longer
passwords such as those often required for computer access.
There
are limits to such image-analysis technology. It’s harder to detect
PINs when people type them with two fingers rather than one, for
example. The use of a full keyboard instead of a 10-character
phone-style keypad makes it harder still, as does the use of capital
letters and symbols that aren’t on a 10-character pad. And fingerprint
validation in lieu of a PIN solves the whole problem, even though it’s
available on only a small portion of smartphones at the moment, and not
at all on ATMs and other gadgets requiring PINS.
As
always, countermeasures will ensue if unseen PIN hacking were to grow
into a major problem. Smartphone makers could create keypads that appear
in different locations on the screen every time, foiling
pattern-recognition algorithms that rely on consistent spatio-temporal
dynamics. Keypads that jumble the 10 numerals in a different random
order during each use might also do the trick, though they could also
drive users crazy and encourage them to ditch the passcode because it’s
too much trouble.
Meanwhile,
protecting yourself against sneaky PIN hacking wouldn’t be difficult,
once you know what to do. Keeping your phone completely out of sight
when entering a PIN or other sensitive data is the most obvious step.
Newer iPhone and Android devices allow you to choose a longer, more
complex alphanumeric passcode over a simple 4-digit one (although typing
it in can be a pain). And
practicing good security—by
using two-factor authentication, password-tracking apps and so on—helps
improve security and speed the notification time if somebody has
infiltrated your accounts. It’s probably safe to assume somebody is
always watching. Sooner or later, they will be.
Culled from Yahoo Finance