Researchers demonstrate how PINs and other info can be gathered through phone movement

A team of researchers at Newcastle University in the U.K. has published a paper highlighting some troubling findings linking on-board sensors with privacy issues. Using data collected by mobile devices’ hardware tracking systems, the team was able to crack four digit-PINs with 70 percent accuracy on the first try, with 100 percent accuracy by try number five.

While some applications alert users to specific on-board monitoring, it’s certainly not universal — nor, for that matter, is any insight into how often that information is being accessed.

“Having access to these sensors, either via the native apps, which you can install on your phone or a web application — it’s not like they always ask permission,” the paper’s lead researcher Dr. Maryam Mehrnezhad told TechCrunch. “So, these sensors, which are related to your identity, like your microphone, camera or GPS, but for a lot of these new sensors, none of them ask for permission. And a lot of users don’t know that the web application has access to it.”

Hackers gaining access to that data can use it to determine a wide range of different activities, according to researchers, like whether the user is sitting, walking or traveling in a car or train. The issue, according to the paper, is particularly troublesome with regards to mobile browsers. A site accessed with malicious code can open the device to such sensor-based monitoring working in the background when browser tabs are left open.

Dr. Mehrnezhad tells TechCrunch that the University has contacted some of the biggest names in the mobile industry about the issue. And while major players are aware of the problem, actually addressing it could prove easier said than done.

“All mobile platforms[…] are aware of this problem,” she says. “We reported it to them, and ever since we’ve been in touch with them, we’ve been trying to fix this problem together. It’s still ongoing research on both sides. But we’re in contact with these communities to figure out the best solution.”

Mehrnezhad says the team has been in touch with the major players through the World Wide Web Consortium (W3C), and some, including Mozilla, have gone a ways toward addressing the issue. But there’s still work to be done — and a line to walk, between privacy and usability. Mobile companies will no doubt be hesitant to block access required for the functionality initially intended for the sensors.

The issue, Mehrnezhad adds, will only grow as connected devices become more prevalent through the growth of wearables and connected home products. Meantime, the team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use.