According to a team of cybersecurity experts at Newcastle University, the way you tilt your phone could be used by hackers to break into your device.

See also:

Broadcom Wi-Fi SoC exploit affects many Android devices

April 6, 2017

When it comes to security and the protection of privacy, people often worry about connecting to public Wi-Fi networks, tricking face recognition technology, or bypassing fingerprint sensors. What usually gets left out of the discussion is the multitude of basic motion and orientation sensors that can be found inside most smartphones and tablets today. Well, according to cyber-experts at Newcastle University, we should be paying more attention to these sensors that we take for granted every day.

According to the paper published by the team, they were able to crack four-digit pins with 70 percent accuracy on the first guess and 100 percent accuracy by the fifth guess.

Essentially, because most apps and websites don’t need special permissions to access the device’s motion and orientation sensors, malicious hackers could “listen in” on your sensor data without your knowing. Using the movement and the positioning of the device, hackers are able to guess not just your password but also where on the screen you’re interacting. According to the paper published by the team, they were able to crack four-digit pins with 70 percent accuracy on the first guess and 100 percent accuracy by the fifth guess. Considering most phones allow more than five attempts without serious repercussions, this is alarming news indeed.

Because every movement – tapping, scrolling, long-pressing – leads you to hold your device in a unique way, hackers could potentially use these standard sensors to monitor on which part of the page your touch is registered and what you are typing on your virtual keyboard. According to these researchers, unless you close down completely the app or the website that contains the malicious codes, hackers could spy on you even when your phone is locked.

The trouble is, however, there isn’t much that can be done right now. The team has already notified major tech companies like Apple and Google, but no one has come with a solution thus far. Unless they introduce sensors into app permissions and every single website, these sensors are likely to remain vulnerable.

What measures do you take to protect your privacy? Let us know by leaving a comment below!

Brian Reigh
Brian Reigh is a contributor at Android Authority, covering all Android-related news and features. He has always been passionate about technology, especially mobile phones. He is a recent alum of Dartmouth College and is currently in law school.
  • Daggett Beaver |dBz| ✓ᵛᵉʳᶦᶠᶦᵉᵈ

    Damn Trump and his Russian hackers.

  • Allan Tan

    Google should have a virtual keyboard that displays numbers randomly (for entry of PIN) instead of the stand layout. In this way, hackers will have a hard time guessing!

    • That’s probably the best option for right now. If hackers know that the position on the screen is irrelevant, then this attack becomes mostly useless. The only possible security hole becomes the randomization quality of the number pad. If it is poorly randomized, hackers may still be able to make educated guesses on what PIN you’re typing.

      • Have you on any occasion made large sums of money without trading in anything or left out executing any existing mlm form of business without having to make investments any-thing. I want to discuss a project at which all of techniques is going to be given to you and it is a very simple moreover easy to understand work. Without having need to start your very own domain names and so on., almost all is going to be delivered to you for free. Folks will likely look at your internet site so you will be able to get money for that. It really is as easy as that. I’m taking home very much money in a home office from this project just like 20000 dollars once per month or maybe more if also you actually want to earn like this so therefore follow these particular hassle-free info by seeing this web-site >>>>> SHRTY.LINK/IhAVwr

    • Paul Canning

      My Oneplus One has randomised numbers on the PIN lock screen <3

      • Arman

        Where is the setting!?

        • “Randomise number locations” under lockscreen security, as far as I remember

          • Arman

            Can’t find it on Tugapower, probably doesn’t have it.

    • The feature is already in a bunch of custom ROMs, and has existed for some time.

      • In AOSP though, nothing! Missed the feature since I moved to a AOSP-based ROM

  • Gordon Hay

    Presumably, this only applies to one-handed operation – if the phone is resting on a hard surface or is being held steady in one hand whilst touching the screen with the other there would not be any/enough movement detected to be hackable.

    • BlackHawkRider .

      Even on a flat surface, the tapping should create a minuscule amount of vibration which is more than enough the calculate where you are tapping on the phone. However, I don’t think there is much to worry about here. Even assuming that somehow a hacker will spend the time an money to monitor another person for their password and other information, it will depend mostly on what type of virtual keyboard the victims are using. Also, trying to use this method to unlock a device is also pointless due to the fact that you can enable a method to change the position of the numbers for the lock screen pin number.

  • Up next: “Hackers can steal your password by looking at how you ‘bend’ your phone.”

    • Daggett Beaver |dBz| ✓ᵛᵉʳᶦᶠᶦᵉᵈ

      After that, “Hackers can steal your password by looking over your shoulder as you type it.”

      • BlackHawkRider .

        Then later, “Hackers can steal your password by asking you for it.”

        • Arman

          After that hackers will steal your password even if you don’t have a phone.

          • BlackHawkRider .

            Dam…..Hackers are getting even more high tech lol

          • Arman

            Mind hacking with thought prediction algorithms lol

          • BlackHawkRider .

            One step closer till SAO becomes a reality XD

          • Arman

            Why do you think they are pushing VR, big brother is waiting lol..

          • Grant D

            “iPhone 9, so secure that there are literally no sensors!”

      • Hahaha.

  • EKMA

    gotta have a reason for them to hack you…. I’ve got nothing that anyone would want… in fact, they’d probably feel sorry for me and put money into my account…

    • Arman

      Its not only about your money these days, even if they can find something secret or embarrassing about you on your phone such as a pic they will try to blackmail you to pay them otherwise they post it online. The low bar is set to a new level. That’s their new Ransomware model.

      • Daggett Beaver |dBz| ✓ᵛᵉʳᶦᶠᶦᵉᵈ

        LOL! Good luck. What are they going to blackmail me about? The fact that I like anchovies on my pizza?

        • Arman

          Mostly they do it to companies. They use to encrypt the files and asked for money to give back the files and people got smart and got their backups on schedule, so they wouldn’t pay them anymore. The new trend is they threaten to release the company secrets and confidential stuff so every company will pay them.

          But some people most likely have naked pictures and stuff on their phones so it works for those people too.

  • tabguy2

    One word: LastPass.

    • Arman

      I never trust an app to keep my passwords, no matter how secure. You never know but that’s probably just me!

      • mark

        What method are you using that’s more secure than a password manager? And i hope the method you’re using has been audited/checked for security holes as thoroughly as password managers have?

        • Arman

          I don’t save them online period, just have them somewhere safe, only a few characters of each password the rest is ****, that’s as good as it gets. Also pretty much all accounts have 2 factor authentication enabled. All you really need to remember is your main email account credentials, you can reset all other accounts using your main account if you forget these days.

          • Drakenoid

            The hackers only need to hack your email then they can reset all other accounts.

          • Arman

            That’s why you need to have 2 factor authentication setup for your email.

          • Drakenoid

            2-factor accounts have been hacked before, but tbh, it doesn’t really matter, it’s an issue either way.

          • Arman

            True, nothing is 100% secure but the average hacker doesn’t have the skill to hack 2FA. unless your phone gets hacked, then its useless.

  • Nikhil

    ouch! Smart devices and the trouble it brings along :(

  • Charles Fair

    just deny web browser access to the sensors

  • Howrad Tseng

    *tilts phone*
    *puts finger on fingerprint sensor*

  • D’Artagnan the Deplorable

    Subdermal implants.

  • User

    Does this work even with password managers? Basically use fingerprint to log into a manager and then copy and paste (hidden) passwords

  • Harish Sridharan

    How do you avoid it or is there a app to do that for you