An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016
An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016

PINs and passwords can be stolen just by watching the way a phone tilts, scientists find

Malicious apps can take the simple movement and work out how to access people's most private details

Andrew Griffin@_andrew_griffin
Tuesday 11 April 2017 00:05

People's passwords could be exposed with just a tilt of their phone, according to a new study.

Research from Newcastle University shows that PINs and passwords can be found just by watching how a phone moves when it is being held. And they warn that same information could be used by malicious websites and apps, to gain access to the most personal parts of people's lives.

In the study, researchers were able to guess a password just by watching the movement of a device. They had 70 per cent accuracy on the first guess, and 100 per cent by the fifth.

And there appears to be no easy way of solving the issue, which could compromise the smartphones and tablets that contain much of our personal lives.

Lead author Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer.

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."

The sensors needed are in most phones. But there is no uniform way of managing them, and so no easy way to solve them, according to the findings in the International Journal of Information Security.

Dr Mehrnezhad said: "More worryingly on some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding.

"So people were far more concerned about the camera and GPS than they were about the silent sensors."

All of the major browser providers, like Google and Apple, have been informed of the problem, the researchers said. But none has been able to come up with a way of keeping passwords secure.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments