Americans are worried about their privacy, and rightfully so — as Congress repeals laws that would have protected our browsing data beginning in December, people are on edge. Now, researchers have come up with a way for websites to collect accurate data from our smartphones as we browse, which is extremely problematic given the number of things our smartphones seem to know.
According to Ars Technica, they know if we’re in a car going above the speed limit, when we’re walking, running, or riding a bus. They’re aware when we make or receive a call and know when each starts and ends. Your phone knows the PIN you use to unlock it and those required for external sites.
The aforementioned keylogging attacks are most useful for identifying four-digit PINs at up to 74% accuracy, jumping up to 94% by the third time. It stands to reason that this technique could acquire other information, including lock patterns.
“One might argue that the attack should be evaluated against the whole four-digit PIN space,” the researchers noted. “However, we believe that the attack could still be practical when selecting from a limited set of PINs because users do not select their PINs randomly. It has been reported that around 27% of all possible four-digit PINs belong to a set of 20 PINs, including straightforward ones like ‘1111,’ ‘1234,’ or ‘2000.’”
To be vulnerable to an attack, a user must open a malicious webpage and enter their PIN before closing it. Nothing must be installed. The pages can stage an attack by using JavaScript code that accesses motion, as well as orientation sensors built into all iOS and Android machines. Without any warning to the user, the PIN is hacked.
Results of the research are explained in detail in Stealing PINs via mobile sensors: actual risk versus user perception.
Siamak F. Shahandashti, a researcher at Newcastle University, demonstrated the attack, saying, “That means that whenever you are typing private data on a webpage and this webpage, for example, has some advert banners at the side or the bottom, the advert provider, as part of the page, can ‘listen in’ and find out what you type on that page. Or with some browsers, as we found, if you open a page A and then another page B without closing page A (which most people do), page A in the background can listen in on what you type in page B.”
While attacks varied between browsers and even operating systems, researchers were universally able to glean data. Ars Technica has a chart that breaks down the specific things that a browser is able to block.
Unfortunately, says Newcastle University researcher Feng Hao in an interview with Ars Technica, “There is no straightforward fix to the problem without also breaking potentially useful web applications in the future. No one is able to come up with a definite solution yet.”
The researchers suggested closing tabs as often as possible, but warned that the threat is likely to grow in the absence of browser and OS makers identifying a more permanent solution.
“Access to mobile sensor data via JavaScript is limited to only a few sensors at the moment,” said researchers. “This will probably expand in the future, especially with the rapid development of sensor-enabled devices in the Internet of Things. Hence, designing a general mechanism for secure and usable sensor data management remains a crucial open problem for future research.”
Sources: Stealing PINs via mobile sensors: actual risk versus user perception, Ars Technica
Image Source: Pixabay
Advertisement
Learn more about Electronic Products Magazine
