Contact FutureLearn for Support
Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.
Side channel attack on smartphone
Side channel attack on smartphone

Is your mobile phone spying on you?

Your bank and your credit card provider have put lot of time and effort into protecting your online banking passwords, your online card payment details and the PIN of your card.

However, there are some neat ways to side-step security features by hijacking the phone’s sensors to listen in while you type. In this article we look at such attacks and the impact of current research to deal with this vulnerability.

Work by Maryam Mehrnezhad and Ehsan Toreini at Newcastle University shows that malware embedded in a web page accessed by a mobile browser can detect your passwords / PIN using the mobile phone accelerometer data. As we’ll see, the impact of this research is wide-ranging: the vulnerability has been reported to W3C and browser vendors, who have responded by restricting access to this data.

Side-channel attack

A side-channel attack is not concerned with trying to attack a system directly, eg by brute force cracking of passwords. Instead, it uses extra information connected with the physical system, which inadvertently provides the attacker with the information they need. Work at Wichita State University and at University of Illinois has shown that the accelerometers in a smartwatch could be used to detect your PIN when you enter it into a PIN pad such as at an ATM or Chip & PIN terminal. So if you have a smartwatch wear it on your left hand, if you enter your PIN with your right hand.

Smartwatches and fitness apps make use of sensors to improve the user experience, by tracking training runs or simply providing more responsive games. The problem is, these sensors such as GPS, camera, microphone and gyroscope, provide an app that is running on the device with side-channel information: such an app could log when a call is being made, where the user is and whether they are moving or stationary, and even work out what PIN number or password is being typed on the device. Add to this the NFC (near field communication) sensors that are present on many modern mobile phones, and we can see that an app with access to this data will be able to read any bank card that is near the phone (for example, kept in the same bag or wallet).

From apps to mobile browsers

This type of attack has been known about for years, and has been unsolved partly because of the complexity of the problem but also because of the low risk of an attack: the user must intentionally download and install the malicious app, and give it permission to use the phone’s sensors. Instances of this attack will trick the user into doing this by posing as a free game app which requires access to the data. However, app stores such as Apple’s App Store or the Google Play Store do have a screening program which would prevent the distribution of an app that is found to contain malicious content.

Research shows that the sensor attack is spreading from apps to mobile browsers, where the controls have been much looser. In-browser access to sensors such as GPS, light, motion and orientation is permitted in JavaScript code: so, motion and orientation data can be available without any user permission. The Newcastle team demonstrated that a remote attacker can learn a user’s touch actions (tap, scroll, hold, zoom) and PINs based on reading motion and orientation sensor data through embedded Javascript in a web page, without any app installation or user permission. For some mobile devices and browsers, the attack is effective even if the malicious web page is open in an inactive tab, when the browser is minimised or when the screen is locked.

Action taken

Following responsible disclosure practices, the Newcastle team informed W3C and browser vendors in private of these findings. Accordingly, W3C acknowledged the problem, and a new version of the specification has been drafted with reference to this research.

All major mobile browser vendors, including Google Chrome, Mozilla Firefox, Apple Safari and Opera, have acknowledged the problem. Starting from version 46 (released in April 2016), Firefox restricts JavaScript access to motion and orientation sensors to only top-level documents and the same-origin iframe. In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by:

suspending the availability of this [motion and orientation] data when the web view is hidden.

Both patches acknowledge the contributions by the Newcastle research team.

Maryam and Eshan are currently working on further methods of addressing this exposure. Later on this week you will see their practical advice on mobile phone app safety.

Share this article:

This article is from the free online course:

Cyber Security: Safety at Home, Online, in Life

Newcastle University

Course highlights Get a taste of this course before you join: