Smartphone users are being advised to use additional security measures on their phones after scientists were able to unlock some of the devices with 99.5% accuracy.
Researchers from Nanyang Technological University (NTU) in Singapore developed machine-learning technology that can use data from the sensors in Android smartphones to uncover their security numbers.
The team say their technique can be used to guess all 10,000 possible combinations of four-digit codes.
They believe their work highlights a “significant flaw” in smartphone security that could be exploited by hackers, as using the sensors present in the phones “require no permissions to be given by the phone user and are openly available for all apps to access”.
Led by Dr Shivam Bhasin, the researchers gathered data from six different sensors found in smartphones – accelerometer, gyroscope, magnetometer, proximity sensor, barometer and ambient light sensor.
Using machine-learning algorithms, the team were able to determine which numbers had been pressed on the Android smartphones by the study participants, based on how the phone was tilted and how much light is blocked by the thumb or fingers.
Dr Bhasin said: “When you hold your phone and key in the Pin, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.”
This means that while a piece of malware or virus may not be able to correctly guess a Pin immediately after installing itself, the researchers say that hackers could use machine learning to secretly collect sensor data from thousands of users over time and launch an attack at a later date.
Professor Gan Chee Lip, of NTU Singapore, said: “Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user’s behaviour.
“This has significant privacy implications that both individuals and enterprises should pay urgent attention to.”
Dr Bhasin is advising users to opt for Pin codes with more than four digits and use additional authentication methods such as one-time passwords as well as fingerprint or facial recognition systems.
His recommendation for mobile operating system developers and smartphone makers is to restrict access to the six sensors “so that users can actively choose to give permissions only to trusted apps that need them”.
The paper is published in open-access journal Cryptology ePrint Archive.