
The way people tilt their smartphone 'can give away passwords and pins' - dan1234
http://www.bbc.co.uk/newsbeat/article/39565372/the-way-people-tilt-their-smartphone-can-give-away-passwords-and-pins
======
kinkora
Interestingly novel!

In my university days, long before the days of tablets and smartphones, the
computer labs were the usual place where people will congregate to do their
assignments or basically kill time on the internet in between classes.

One day, my mates and I noticed how annoyingly loud some people type on their
keyboards and out of sheer boredom, we decided we could come up with an
algorithm to determine what a person was typing simply from recording the
sound of the keystrokes from our vantage point. Taking that sound clip, we
graphed it out and we proceeded to hash out each "stroke" based on how loud it
was in relation to the distance of where we were from the keyboard + the angle
of the keyboard.

Fun times ensued. ;)

~~~
NoCoastCoder
And this worked? Seems hard to believe.

~~~
cmdrfred
It would cut entropy down by a great deal if you even simply knew how long the
password was.

~~~
wruza
I've seen a movie where a bad guy entered password and a good girl counted the
number of characters: one-two-three-four-five. Then she noticed that his suit
had "GREED" badge on it. Combining these two facts she succesfully hacked into
his laptop and prevented some shit. Since then I started to always mix few
backspaces into my passwords. Not that I'm really bad, but life is life.

~~~
ballenf
The backspace key on most keyboards has a _very_ distinct sound. Not to
mention it's positioning means timing will be noticeably different as well.
Might be better off mixing in a few meaningless modifier keys (press Ctrl, Alt
or Caps Lock).

~~~
sigjuice
I usually type a long string of gibberish, sneak in ctrl-U at some point and
then enter my actual password

~~~
idanoeman
Unless the gibberish is the same every time, the repeated sound of your
password will still be parsable from a long enough sound recording of your
computer usage.

~~~
sigjuice
The gibberish is unlikely to ever be the same.

~~~
jaredsohn
I think it is more accurate to say that the gibberish is unlikely to _always_
be the same.

I think one can tend to create similar gibberish over time. I've worked on a
system where I needed to do a new signup every time I wanted to test a feature
and I've run into issues where the gibberish I entered matched an account that
I had previously created.

~~~
NeutronBoy
Everyone here has accounts in development databases named 'aaa', 'asd',
'asdf', 'qwer', 'hjkl', etc!

~~~
BigJono
Nope, mine are all oeunt, oeunth, huet, uehis, ais, etc

~~~
uiri
You are a user of the Dvorak layout, I take it? Colemak seems like it would
have a different fingerprint.

~~~
BigJono
Yep! Always a bit of fun when someone goes to use my laptop for an end-of-
sprint presentation and types a bunch of gibberish infront of all the
stakeholders :D

------
tboyd47
> We demonstrate how an inactive or even a minimised web page, using
> JavaScript, is able to listen to and silently report the device motion and
> orientation data about a user who is working on a separate tab or a separate
> app on the device.

This is brilliant and well-explained.

On page 6 of the PDF, the authors include a breakdown of the leakages they
found in each browser family. The two that were most significant to me is
Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe
this means that malicious Javascript (1) on Google Chrome on an iPhone on an
inactive tab, and (2) on mobile Safari while the screen is locked, can access
tilt and motion data at a level of detail sufficient to deduce what the user
is typing.

~~~
jacquesm
Accelerometer data could be used too to figure out how long it took to move
from one entry on a virtual keyboard to another reducing the search space
considerably.

~~~
Neliquat
Another good reason to use a non standard keyboard.

------
wh-uws
This attack and an annoyance that I see on Android from time to time could be
easily mitigated if in Chrome if they would simply ship permissioning for
access to hardware devices.

There is this annoying popup add that infects the ad networks of a few
websites that first smashes the history of the tab and then vibrates your
phone and has a page with a bunch of red warning text telling you that you
have a virus, your phone is "damaged" and trying to get you to download some
crappy virus scamware.

No way in hell a random website should be able to make your phone vibrate
without your permission much less tell how its moving with the accelerometer.

I've google around a lot there is NO WAY to disable this :/

~~~
trakout
Chrome will soon require an SSL cert in order for web services to use the
device orientation API, which is a step in the right direction, but ultimately
doesn't help in prevention.

------
maaaats
Relevant: A friend of mine analyzed lock patterns for her thesis. Got some
press: [https://arstechnica.com/security/2015/08/new-data-
uncovers-t...](https://arstechnica.com/security/2015/08/new-data-uncovers-the-
surprising-predictability-of-android-lock-patterns/)

The patterns are predictable, and can be further narrowed down if you now the
hand they normally use.

~~~
kevindqc
how come length 8 and 9 have the same number of combinations?

~~~
allenz
There is a one-to-one correspondence between them: a length 9 combination is
just a length 8 combination followed by the sole remaining node. The lock
screen has 9 nodes.

------
rangibaby
I saw an ATM before that scrambled the number pad on it's touchscreen so the
numbers were in a different position every time. Would that work to mitigate
this attack?

~~~
dafrankenstein2
this may work for ATM because you are not using it several times a day, even
in a week. but scrambling will make bad UX in smartphones.

~~~
lostlogin
I can't remember when I last used an ATM (maybe 5 years ago?) and haven't seen
the one near work used much so checked usage stats. It's more common here than
I thought (as are cheques) but it's not used much.
[http://www.paymentsnz.co.nz/articles/nz-payments-stats-a-
yea...](http://www.paymentsnz.co.nz/articles/nz-payments-stats-a-year-in-
review)

------
skamoen
As a university project, I did something very similar, only using a malicious
app. The app would monitor the device state, and record gyro data as soon as
the screen was on, but the device was locked. We didn't have the time to
properly implement a decent classifier, but the data collection was
surprisingly effective.

~~~
imjustsaying
Brilliant. Did you upload the source anywhere?

~~~
idanoeman
Wouldn't that be a bit irresponsible?

~~~
hbk1966
Very

~~~
lolc
Why?

------
driverdan
Source with more details:
[https://blogs.ncl.ac.uk/security/author/b2031864/](https://blogs.ncl.ac.uk/security/author/b2031864/)

~~~
tomjakubowski
The authors' paper link is to a closed access journal, but a preprint is
thankfully available here:
[https://arxiv.org/abs/1602.04115](https://arxiv.org/abs/1602.04115)

------
dwighttk
How about not letting javascript run when the phone is locked? Heck, on my
phone I'd be fine with not letting it run when the browser tab isn't active.

What use case am I not thinking of here?

~~~
reitanqild
On desktop FF I have an extension that prevents JavaScript from running in
background tabs unless whitelisted.

Saves a lot of CPU if I have google search result in background tabs.

~~~
winter_blue
What is this extension called? I use FF, and I'd love to turn this on for most
of my background tabs (except for a few like GMail).

~~~
reitanqild
Not in front of my computer now. If you check back tomorrow I _might_ have
added it here or to my profile. : )

~~~
reitanqild
Suspend tab by Piri (piro_or) is the one on my laptop at least.

In the description it also mentions other extensions, especially suspend-
background-tabs looks like something I might be using on one of my/someone
elses machine.

------
abecedarius
Nice hack. I've been using my phone for less and less over the years, out of
security concerns, since it's my 2fa device and I sometimes check email with
it. After the Broadcom wifi thing I even stopped carrying it around. I guess
it's past time to buy a dedicated 2fa device.

~~~
ColanR
What broadcom wifi 'thing' are you referring to? Guess I missed that piece of
history.

~~~
abecedarius
[https://news.ycombinator.com/item?id=14034092](https://news.ycombinator.com/item?id=14034092)

~~~
ColanR
Ah. Thanks to you both.

------
tmsldd
Quick Fix: at OS level, temporarily disable all sensors while typing on the
virtual keyboard.

~~~
roberttod
Perhaps freeze all sensors at the last known value when entering a pin and
when typing into password fields.

~~~
Neliquat
Adding another convenient flag to monitor for when to snarf your password
doesnt seem all that forward thinking securitywise...

------
ge96
I thought you just make the key board random every stroke and the human has to
pick the right, next letter so it's not predictable with a known pattern.

edit: I like that "Obviously hackers wear hoodies..." hahaha, I like to wear a
mask, and see as little as possible, while I mash on the keys hacking into the
NSA.

edit: it's not funny though when you happen to see your server logs and you
see various attempts to break in using wordpress-access attacks like forget
the one xmlrc or something... I don't use Wordpress but man... gotta keep an
eye on those logs. Also tracked one of the ips, lead to some site called
BoltCloud, looks legit, with a login but... I don't know... not sure if you
can bounce attacks from a server without that server's permission.

------
stefs
"Obviously most hackers wear hoodies and stand in dark rooms"

finally!

------
tomglynch
With machine learning these days I'm sure that accuracy will only increase
too.

> They say they cracked four-digit pins with 70% accuracy on the first guess
> and 100% by the fifth guess.

I'd expect within a few months they could have 70% accuracy on the first guess
for typing text/passwords.

------
stefanve
BlackBerry solved this with their picture code lock
[http://n4bb.com/blackberry-10-getting-picture-password-
unloc...](http://n4bb.com/blackberry-10-getting-picture-password-unlock-
screen/)

------
hex1848
You can usually easily figure out someones connect the dots password simply by
looking at the smudge marks on the screen.

~~~
fao_
This is why I chose one that doubles back on itself in a non-obvious way. I've
tested it by trying to teach people the password, it usually takes them quite
a while to learn it, even when I do it really, really slowly and give them
lots of tries

~~~
ballenf
Last time I used this on Android, there were 9 points but I couldn't use any
one more than once. You can double back in a very limited way, but the more
complex patterns I wanted to use were impossible.

I'm sure there's more written on this, but most patterns I've seen are just
way too short. And hug the outer edge, are in-order, etc.

------
koolba
I bet you could do this by analyzing a video of someone holding their phone
too.

~~~
andai
Did you see that video of analyzing microscopic (subpixel) changes in video to
reconstruct audio vibrations?

~~~
koolba
No do you have a link? That sounds nuts. So by analyzing a video you can
recreate missing audio?

~~~
jamessb
There was a 2014 SIGGRAPH submission called "The Visual Microphone" [1]; it is
also discussed in the 'research highlights'section of the Communications of
the ACM [2].

[1]:
[https://people.csail.mit.edu/mrub/VisualMic/](https://people.csail.mit.edu/mrub/VisualMic/)

[2]: [https://cacm.acm.org/magazines/2017/1/211095-eulerian-
video-...](https://cacm.acm.org/magazines/2017/1/211095-eulerian-video-
magnification-and-analysis/fulltext)

------
Adverblessly
Sorry for digressing from the main topic of the article, but isn't anyone else
bothered by this terrible graph from the article
[https://cdn.arstechnica.net/wp-
content/uploads/2015/08/alp-l...](https://cdn.arstechnica.net/wp-
content/uploads/2015/08/alp-length-breakdown2-640x319.png) ?

For example, the bar for Men's shopping password length is 3x-4x longer than
for Women's, but in reality the value (in tiny font) is only ~8% greater (the
others are ~4% and ~10%).

------
cosinetau
> They said they'd told all the major tech companies, like Google and Apple,
> about the risks but no-one has been able to come up with an answer so far.

What about putting and end to tracking gestures?

------
avip
Unbait yourself:

>Based on a test set of __fifty 4-digit PINs __

------
SerLava
I wonder if you could hold the phone flat in one hand and press the buttons
with the other hand to defeat this. Or wobbling while entering it one-handed.

~~~
AstralStorm
You still get timing data from the taps.

~~~
SerLava
Random delay?

------
canuckintime
Blackberry released an excellent app[1] for Android phones that helps solve
this.

Any option for iOS? Can someone recommend a good 4way privacy screen
protector?

[1] [http://www.theverge.com/2017/3/23/15038364/blackberry-
privac...](http://www.theverge.com/2017/3/23/15038364/blackberry-privacy-
shade-app-smartphone-feature)

~~~
dwighttk
That app makes it a little harder for a stranger to read what's on your
screen, it doesn't have anything to do with browser access to the
accelerometer and other sensors.

~~~
canuckintime
Heh, I tend to tilt my device a particular way to avoid prying eyes when
typing in a password so I assumed a direct connection but others probably
don't behave the same way

~~~
dwighttk
there won't be an iOS app that can do that unless you jailbreak

------
carapace
(I remember reading that a phone on a desk could be used to figure out what
you type on a keyboard on the same desk.)

------
seccess
This attack has been known since at least 2011:
[https://www.usenix.org/legacy/event/hotsec11/tech/final_file...](https://www.usenix.org/legacy/event/hotsec11/tech/final_files/Cai.pdf?wptouch_preview_theme=enabled)

------
ge96
I kind of can't wait till everything is biologically linked, I don't know if
it's a good idea/cost effective. There's usually that scene in horror movies,
removing eyeballs, removing hands/fingers etc... for biometric security.

Still the thought of someone snatching my wallet and swiping away at my cards.
Where as if the card wasn't "active" unless my hand was the one holding it, I
don't know how... finger print, pulse, heat, embedded RFID chip activates the
card... I don't know. think DNA-linked money too, but someone could steal your
hair... I don't know, I'm just not going to carry more than $20.00 on me in
any form of money.

random thought too: when everyone has their own API and this replaces social
media, why would that happen I don't know. If people had custom readers to
pull in a person's data.

------
nippoo
The solution to this - for PINs and passwords at least - is to scramble the
keyboard layout. It's slow, but if you're typing in a 6-digit PIN it doesn't
take that long.

------
hbk1966
Simple solution to the codes, just place the numbers in random locations. I
know Runescape used to do this with bank pins.

------
anotheryou
this was proofed 2011 already
[https://www.extremetech.com/mobile/92946-a-wiggly-
approach-t...](https://www.extremetech.com/mobile/92946-a-wiggly-approach-to-
smartphone-keylogging#)

------
tapmap
This is why using fingerprint sensors makes sense. Impossible to guess this.

~~~
nols
Fingerprints have plenty of their own issues though.

[http://www.theverge.com/2016/5/2/11540962/iphone-samsung-
fin...](http://www.theverge.com/2016/5/2/11540962/iphone-samsung-fingerprint-
duplicate-hack-security)

------
InitialLastName
This is a great justification for fingerprint unlocking... I almost never need
to enter my pin, either at home or (especially) in public.

~~~
theoh
Fingerprints are "something you have", but for multi-factor authentication you
might also want to rely on "something you know". This news just indicates a
problem of entering "something you know" into a device: it's definitely not a
point in favour of fingerprint (they aren't simply alternatives)

------
ziikutv
Thanks captain obvious!

