To be fair, this test was based on choosing PINs from among a list of 50 random PINs. The researchers collected a pool of data for 500 test PINs and used that along with the data collected from the test cases to guess the PIN used almost 100% of the time, on the first guess.
Still, this is certainly concerning. *IF* you give EITHER an Android or iPhone app permissions EVER to access sensors, then they can access those sensors for as long as the app is installed. If the app is malicious, it could use that sensor data to capture your PIN.
These researchers used data from the phone’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor to figure out the PIN. This test was a proof of concept, so even though the test had limits, if a hacker wanted to spend some effort on it, he or she could likely improve the effectiveness over what the researchers’ achieved.
The problem is that the app can access these sensors after you give them permission without any indication that they are doing that.
Longer PINs are not a cure either, according to the researchers. All it takes is some work to build the table of data of sensor information for different possible PINs. Longer PINs mean bigger tables, but unless the PIN is insanely long, the problem is manageable.
If the researchers tried to guess all 10,000 possible 4 digit PINs, their success rate went down to 83% within 20 tries. This of course is no where near as good as 99.5%, but 83% is still pretty good.
Likely as researchers continue to test the limits of this capability it will force Google and Apple to make some changes.
So what can you do?
Obviously, longer passwords and PINs make things more difficult, but sometimes you don’t have a choice about that.
Two factor authentication has a HUGE positive effect on this because even if they can guess the PIN, that value won’t work the next time around.
Finally, set your device down on a hard surface and do not move it while you are entering that PIN. That way the various sensors have much less data to work with.
Information for this post came from Bleeping Computer.