Pinlogger.js Concept Steals Pin Via Gyroscope

According to a team of scientists at Newcastle University UK, they have developed a method to steal a smartphone’s PIN via the use of a javascript app that captures and implements the data generated by a phone’s gyrometer, GPS, camera, microphone, accelerometer, magnetometer, proximity, pedometer and NFC protocols. In fact, using said technique these cyber scientists claim that they have been able to successfully guess a 4-digit pin with 76% accuracy on the first attempt, 86% on the second attempt and 96% after a third attempt¹.

“That means whenever you are typing private data on a webpage and this webpage for example has some advert banners at the side or the bottom, the advert provider as part of the page can ‘listen in’ and find out what you type in that page,”

Dr. Siamak F Shahandashti

According to their research in International Journal of Information Security, the group states that the attack does also require the user to first open a malicious web page and enter characters and that the app itself does not require the use of installation or installation of a companion app. Instead, the logger dubbed Pinlogger.js makes its way onto the victim via the use of html iframe tags (this is what embeds documents and such into a document commonly seen with ads) and that the app could infer any characters being typed upon an iOS or Android device without any knowledge to it’s existence.  An example of such an environment for this to occur would involve say a user opening a first page that may have a malicious Pinlogger-infected ad and filling out a form on page two, unaware that page one is listening and logging the information being provided from the user’s actions.

OS and Browser susceptibility

With regards to a potential fixes the team suggests the solution won’t be so simple. While most phones do give the ability to ask users to first grant permissions for how an app may behave, at the moment most phone’s don’t provide users to adjust these senors in apps such as the browser. Furthermore, denying some of these apps permissions may often “break” the service and fail to properly deliver the content requested for the user and thus cripple the user experience.  Some companies such as Apple and Firefox have gone on record stating that they are looking into the issue and coming up with fixes on their part; having even provided some small fixes such as not allowing gryometer when webview is hidden or blocking javascript access to top level documents. However, the threat still remains worth consideration; especially as the group is now looking towards implementing similar design towards smart devices such as gyrocope equipped watches.

Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe – the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly.

——-Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat.

Dr Siamak Shahandasht

In the meanwhile, the following methods can be used to protect yourself from having your PIN compromised on smart devices.

  • Change your PIN and password every so often (every 3 months usually recommended)
  • Close Background apps and we pages you don’t need
  • Keep your phone and apps up to date to prevent exploits
  • Audit and keep track of your app permissions
  • Only install trusted apps
  • Use a PIN scrambler to adjust how the PIN layout is situated for each and every unlock attempt

¹The team initially threw over 50 PIN codes at PINlogger.js for initial setup and sample scripting


Recommended Links:

Threatpost PINlogger

Newcastle University Press

Ars Technica on PINlogger


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s