Researchers at the University of Cambridge have come up with an ingenious way of revealing the PIN codes for sensitive applications running on smartphones – listening for the sound of virtual buttons being pressed, and watching the user’s face as he or she types in their code.
Using a programme called PIN Skimmer a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified.
The software watches your face via the camera and listens to clicks through the microphone as you type. The tests were carried out on the Google Nexus-S and the Galaxy S3 smartphones.
How successful is PIN Skimmer? In a test set of 50 4-digit PINs, the app (which has a server-side component for image-processing, so as to avoid suspiciously running down the battery) correctly guessed more than 30 percent of PINs after a couple of attempts, and over half after 5 attempts. Obviously longer PINs help, but even with 8-digit codes, PIN Skimmer still worked out around 45 percent after 5 attempts.
This should be of concern to the developers of banking apps and the like, although there’s not a lot they can do about it. The Cambridge researchers suggested that OS designers implement a whitelist for sensors rather than leaving them all active all the time – this would mitigate the risk by denying access to all shared hardware resources “except those explicitly allowed,” though I’d imagine it would conflict with recent features introduced to smartphones, such as always-on microphones.