Smartphone PINs: Researchers use smartphone camera to figure out PIN numbers
Heather Kelly, CNN
9:41 AM, Nov 12, 2013
(CNN) -- Researchers have found a way to figure out what personal identification number, or PIN, someone is typing into their smartphone by using the device's built-in cameras and microphones to secretly record them.
Smartphones are handling an increasing amount of sensitive financial information, with banking and payment apps and other features that turn phones into full-featured mobile wallets. That makes mobile devices a ripe target for cybercriminals.
In a paper published Thursday, security researchers at the University of Cambridge detailed how they exploited the smartphone's camera and microphone to detect PINs and gave some suggestions for making this type of hack more difficult.
This type of malware doesn't exist in the wild just yet. The PIN Skimmer program was created by Cambridge's Ross Anderson and Laurent Simon. The idea is to identify potential security holes before they can be exploited by criminals. In tests, the PIN Skimmer had a 30% success rate detecting four-digit PINs after monitoring a few attempts, and that number went up after it grabbed information over five tries.
First, the microphone detects that a person is entering a PIN. On many apps, the device will vibrate each time a number is tapped. That vibration creates a sound that is picked up by the microphone, which lets the malware know that a "touch event" is happening -- in this case it is the entering of a secret PIN.
Then the camera takes over. The camera isn't looking for reflections in your eyes or triangulating what numbers you're looking at while typing in the code. The researchers use the camera to detect the orientation of the phone and determine where the user's finger is on the screen. On-screen keypads typically display number in a standard order, so if the program can tell where a finger is tapping on the screen based on how the person is holding it, it can deduce what number is there. In their example, researchers assume people are holding their phones with one hand and typing in numbers with their thumb.
The malware captures some photos and a few seconds of video and uploads them to a remote server, evading detection by hiding any data usage charges by possibly waiting for the phone to have a WiFi connection.
Depending on the phone, it could take some additional precautions like disabling any LED light that would let a person know their smartphone camera was recording. The researchers tested the program on the Galaxy S3 and Google Nexus Android phones.
In the past, security researchers have warned that criminals could use other phone sensors like the accelerometer and gyroscope to puzzle out what someone is typing. The paper suggests that apps or electronic wallets like Trustzone take control of and disable all the available sensors when entering a secure mode. Another suggestion includes randomizing where the numbers appear on the screen.