
Guessing smart phone PINs by monitoring the accelerometer - reisub0
https://www.schneier.com/blog/archives/2013/02/guessing_smart.html
======
axelfontaine
I came across an interesting solution to this while paying at a restaurant in
Ecuador: they used an Android device which randomized the position of the
numbers of the on-screen keypad before each transaction.

The original intent is to make it much harder for onlookers to guess your pin
based on finger movements. This could however apply equally well to the
usecase of the article.

It is a bit of a usability trade-off though as you can't enter a pin using
muscle memory alone anymore, as you must first understand the current keypad
layout.

~~~
wpietri
Interesting! I'd love to see what happens when somebody studies that. That
surely creates a much larger inter-digit delay as people hunt for the right
numbers. So I'd bet it's harder if the attacker can't also see the screen, but
easier if they can.

~~~
joshvm
This is also standard in certain secure facilities and I've visited companies
that use them. They're called scramble pads. I think you get better at
entering the numbers, and you wait until you see the sequence before going for
the pad.

~~~
heavenlyblue
I believe scrambling should work the best if you scramble the keypad for every
digit entered, rather than for the whole of them at once. Otherwise at least
the same key presses should be immediately recognisable?

------
JoeAltmaier
"Figure out" means, in this case, classify. So it can tell which of 50 is 'the
one'if its in that set. That's a hell of a long way away from decoding your
PIN from the tens of thousands possible.

~~~
reisub0
This was a paper from 2013 though, 7 years ago. I'm sure they've more than
made it a proper technology now, with all the compute power and deep learning
and what not. Maybe unrelated, but WhatsApp does monitor your phone
accelerometer data 100% of the time, even when it's in the background. An app
doesn't even need to ask for permission to get access to the accelerometer
data, so there's not even a pop up of any sort.

~~~
gruez
>but WhatsApp does monitor your phone accelerometer data 100% of the time

Source for this? Did anyone call them out on it? What plausible reason is
there to have it on 24/7?

~~~
ficklepickle
I was also curious. I found a relevant reddit discussion:

[https://www.reddit.com/r/lgg6/comments/7yxk0a/whatsapp_insan...](https://www.reddit.com/r/lgg6/comments/7yxk0a/whatsapp_insane_accelerometer_usage/)

------
mdorazio
I suspect issues like this are one of the reasons why iOS locked down
accelerometer access in Safari. Motion sensors have a lot more potential for
malicious use than most users think.

~~~
fmjrey
I was going to say Apple must have became aware of such flaw a year ago (iOS
12.2). However checking back on the article I see it is from 2013! So for all
this time nothing has been done, Apple reacted last year, and Google has done
nothing. Worrying.

~~~
Dahoon
It still works in iOS.

------
untog
This stuff is so fascinating... and so frustrating. Now browsers have
accelerometer data behind a permission prompt. It makes total sense given
stuff like this but it used to be a nice little way to create immediately
playable games, apply visual parallax-y effects... and now we have permission
prompts sat in front of that.

I guess I’m not blaming anyone here, just amazed that there isn’t _any_ data
source that doesn’t leak something sensitive!

~~~
atoav
I don't see the issue there: it is good if my browser tells me what is going
on and leaves the decision to me.

Of course in an ideal world we would be able to trust the sites we visit
enough to not jave our browsera protect us, but that is not how a ad financed
web worka sadly

------
angry_octet
Why can't Android manage to do basic security things, like disable the
accelerometers during keyboard input?

~~~
Razengan
I wish iOS didn't show each character as you type your password. HOW is that
even helpful, let alone not having an option to disable that?

~~~
fiddlerwoaroof
I use it all the time to correct password mistakes: I would be really
irritated if that went away: in fact, I frequently use devtools on my laptop
to change password inputs to text inputs

------
robinduckett
Someone add (2013) to this

~~~
floatingatoll
They ask us to use the Contact link in the HN footer to ask them to do so.

------
avip
Unbait, unBS yourself:

After five guesses it could spot Pins about 43% of the time [...] these
results were produced when Pins and patterns were picked from a 50-strong set
of numbers and shapes.

(2015)

------
jacknews
How do you get the accelerometer data?

Surely if you have enough privilege to get that, you could just get input data
directly?

~~~
dubbel
By requesting access to it. To a user that just installed a e.g. step counting
app that wouldn't be suspicious.

Otherwise on Android apps would need to request accessibility feature access
to be able to monitor keyboard input into other apps (and there is an explicit
warning), or, which is most common, request an overlay permission and start a
"phishing overlay" if a targeted app is started by the user.

