Here’s a case where Touch ID definitely shows its value. One of the updates to iOS 9.3 in 2016 was used to stop hackers from stealing your Personal Identification Number, or PIN, by spying on the motion sensors within your iPhone. Engadget noted that a team of researchers from Newcastle University in the United Kingdom has demonstrated that the way your phone tilts and moves as you type can be analyzed to crack a four-digit PIN.
Tracking Your iPhone’s Movements With the Motion Sensors
Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.- Dr. Maryam Mehrnezhad
The gyroscope and rotation sensors, apparently, were able to be tracked using a malicious web page to get the information needed to hack four-digit PINs. At the time, according to lead author Dr. Maryam Mehrnezhad, mobile apps and websites didn’t need to ask permission to access the sensors. Because of this, malicious software could “covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as […] even your touch actions, PINs and passwords.”
More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.- Dr. Maryam Mehrnezhad
Even worse, the team noted, was the fact that the vulnerability could leave your banking information, for example, at risk of being hacked. All you would need to do would be to open a page on an iPhone or iPad hosting the malicious code and then open your online banking account without closing the previous tab. The tab could then spy on every personal detail you enter. In some cases, the code was even able to spy on users while locked, if the browser wasn’t completely shut down.
How Easy Is It to Hack a PIN This Way?
The team at Newcastle University ran extensive testing on the exploit. They found that by analyzing the movement of the device, they were able to crack a four-digit PIN with the first guess 70 percent of the time. By the fifth guess, the team was successful at determining the PIN one hundred percent of the time.
This is why you should use a complex password on your device, folks, along with Touch ID. Sure, it’s harder to type in, but more complexity of your typing would make it much more difficult for someone to use this sort of technique to spy on your sensitive information.
Now It’s a Non-Issue – Unless You’re Still Running iOS 9.2
During the time the research was conducted, Dr. Mehrnezhad said, the team alerted the major mobile browser developers, including Apple and Google, of the risk. Nobody had become able to develop an answer during the time the research paper was written, but that’s since changed. Engadget notes that both Apple and Mozilla have already issued patches to prevent hackers from collecting sensor data this way. Google, on the other hand, has not yet resolved the issue.
The Newcastle University researchers aren’t resting on their academic laurels. The team has now moved on to looking into personal fitness trackers, which are typically a treasure trove of motion sensor data. They hope to learn how secure those devices are, and whether the fitness trackers’ sensors can be used to spy on your activities.