The team's paper highlights a number of troubling findings connecting onboard sensors and privacy issues. For instance, using data collated by a mobile device's hardware tracking systems on how users moved and tilted their phones while tapping in a code, the team was able to crack four digit PINs with 70 percent accuracy on the first try, and 100-percent accuracy by the fifth.
Hackers are able to decipher PINs & passwords just from the way we tilt our phone when typing in the information https://t.co/hU7jWF82lT— Newcastle University (@UniofNewcastle) April 11, 2017
Some applications alert users to specific onboard monitoring, but such warnings aren't universal, and insight into how often that information is accessed rarely offered.
Hackers that gain access to such data can use it to determine a wide range of different activities, including whether a user is sitting, walking, or traveling in a car or train. Each user touch action — clicking, scrolling, holding and tapping — induced a unique orientation and motion trace, to the point it was possible to determine what part of the webpage the user was clicking on and what they were typing.
The team contacted some of the mobile industry's biggest names about the issue, and while major players are aware of the problem, addressing it could prove easier said than done — mobile firms may well reticent to block access required for functionality intended for the sensors.
"Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, rotation sensors and accelerometer — but because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly listen in on your sensor data and use it to discover a wide range of sensitive information about you, such as phone call timing, physical activities and even your touch actions, pins and passwords," said lead researcher Dr. Maryam Mehrnezhad.
Moreover, the team found a strong correlation between perceived risk and understanding — when people were asked which sensors they were most concerned about, the vast majority of people were far more concerned about the vulnerability of their smartphone's camera and GPS than they were about the phone's "silent" sensors.
Nonetheless, the team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting any apps not in use.
Next, the team will investigate potential security risks inherent in personal fitness trackers, linked to online profiles.
2017 has seen vulnerabilities revealed in a number of personal tech devices — in March, Standard Innovation Corporation, the firm behind popular Bluetooth-enabled sex toy We-Vibe 4 Plus, settled a US class action lawsuit to the tune of US$4 million, after it was found to have collected data about the way users partook in the device. SIC was found to have collected sensitive information about customers while devices were in use for "diagnostic purposes."