Skip to main content

Apple patched iOS after researchers showed a website could use motion sensors to detect passcodes

Last year Apple patched iOS after cyber researchers from the UK demonstrated that a malicious webpage could use iPhone sensors to detect a passcode. The technique was so accurate that the team had a 100% success rate at working out 4-digit PINs within five attempts, reports Engadget.

You might think your phone’s movements are random, but they apparently create distinct patterns. During their tests, they were able to crack four-digit PINs on the first guess 70 percent of the time and 100 percent of the PINs they used by the fifth guess.

The attack vector was made possible, explained the study’s lead author Dr. Maryam Mehrnezhad, because mobile apps and websites were able to access sensor data without permission …

Because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

A neural network was used to identify correlations between motion sensor data and tapped PINs, and a browser Javascript exploit was used to run the malware.

The team reports that Apple issued a patch to prevent the unauthorised collection of sensor data after the team presented its findings to the company. The fix was part of iOS 9.3.

Google said that it is aware of the issue, but does not yet have a fix. You can read the paper here.

Photo: MacWorld


FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear