Smartphone cameras can give away PIN codes, researchers warn

Correction: This article originally said the user’s eyes were what gave away the code, but it is in fact the orientation inferred from captured images that does so.

Researchers at the University of Cambridge have come up with an ingenious way of revealing the PIN codes for sensitive applications running on smartphones – listening for the sound of virtual buttons being pressed, and watching the user’s face as he or she types in their code.

Smartphone security has come quite a long way in recent years. Look at Samsung’s enterprise-friendly Knox system, for example. Knox, which is available for phones such as the Galaxy S4, uses an ARM(s armh) technology called TrustZone that effectively involves two operating systems – one for normal apps and one for sensitive apps, such as those for banking. The idea is to keep sensitive apps safe from the nastiness that might come with some dodgy app downloaded to the standard OS.

The problem is, those separate OSs share a lot of sensors, including the camera and microphone. Here’s your attack vector – or rather, as the number of sensors in a typical handset continues to increase, a bunch of them.

Previous research has already demonstrated that a handset’s accelerometer and gyroscope can be used to infer what is being typed on it – a so-called “side channel” attack. Now, in a paper published on Thursday by Ross Anderson and Laurent Simon of the University of Cambridge, we learn that the camera and microphone also provide potential ways in for ne’er-do-wells, assuming they’ve managed to get their malicious app onto the device beforehand.

Here’s how the authors explained the attack (PDF), which they have implemented in a mocked-up system called PIN Skimmer:

“By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.”

Smartphone attack

How successful is PIN Skimmer? In a test set of 50 4-digit PINs, the app (which has a server-side component for image-processing, so as to avoid suspiciously running down the battery) correctly guessed more than 30 percent of PINs after a couple of attempts, and over half after 5 attempts. Obviously longer PINs help, but even with 8-digit codes, PIN Skimmer still worked out around 45 percent after 5 attempts.

This should be of concern to the developers of banking apps and the like, although there’s not a lot they can do about it. The Cambridge researchers suggested that OS designers implement a whitelist for sensors rather than leaving them all active all the time – this would mitigate the risk by denying access to all shared hardware resources “except those explicitly allowed,” though I’d imagine it would conflict with recent features introduced to smartphones, such as always-on microphones.

Another option, of course, is to stop using PIN codes. Identity could instead be confirmed through the use of biometrics (although that introduces different risks), and the researchers also note that secondary devices such as smart watches could act as secure ID when brought together with the handset.