PINs and passwords can be stolen just by watching the way a phone tilts, scientists find

Malicious apps can take the simple movement and work out how to access people's most private details

An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016
An American soldier takes a selfie at the U.S. army base in Qayyara, south of Mosul October 25, 2016

People's passwords could be exposed with just a tilt of their phone, according to a new study.

Research from Newcastle University shows that PINs and passwords can be found just by watching how a phone moves when it is being held. And they warn that same information could be used by malicious websites and apps, to gain access to the most personal parts of people's lives.

In the study, researchers were able to guess a password just by watching the movement of a device. They had 70 per cent accuracy on the first guess, and 100 per cent by the fifth.

And there appears to be no easy way of solving the issue, which could compromise the smartphones and tablets that contain much of our personal lives.

Lead author Dr Maryam Mehrnezhad, a research fellow in the School of Computing Science, said: "Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer.

"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."

The sensors needed are in most phones. But there is no uniform way of managing them, and so no easy way to solve them, according to the findings in the International Journal of Information Security.

Dr Mehrnezhad said: "More worryingly on some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

"And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding.

"So people were far more concerned about the camera and GPS than they were about the silent sensors."

All of the major browser providers, like Google and Apple, have been informed of the problem, the researchers said. But none has been able to come up with a way of keeping passwords secure.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in