By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.
Previous research such as Soundminer sensory malware, that listens to phone calls and steals credit card numbers either spoken or entered on the keypad, or TouchLogger that records taps like a smarphone keylogger, has "shown how to work out PINs using the gyro and accelerometer; we found that the camera works about as well. We watch how your face appears to move as you jiggle your phone by typing."
Yeah, but will it really work? The researchers report that it's fairly accurate. "When selecting from a test set of 50 4-digit PINs, PIN Skimmer correctly infers more than 30% of PINs after 2 attempts, and more than 50% of PINs after 5 attempts on android-powered Nexus S and Galaxy S3 phones."
There have been efforts to design a secure electronic wallet so sensitive data like bank credentials can't be stolen by malware, but this newest side-channel attack would blow those plans to smithereens. Anderson wrote, "Our work shows it's not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you'd better lock down the video camera, and the still camera too while you're at it. (Our attack can use the still camera in burst mode.)"
This newest information-stealing attack is not the first and will most assuredly not be the last to raise security and privacy awareness as well as concerns. But as Google's Motorola Mobility patent highlights, potential wearable computing inventions to make smartphone use easier, better or more secure can also be creepy if you value privacy. The flip-side is that the NSA would probably love it if we'd voluntarily submit to wearing lie detector tattoos paired to our mobile devices . . . talk about leaking sensitive information!
Sign up for CIO Asia eNewsletters.