A team of researchers at Newcastle University in the UK has published a paper highlighting some troubling findings linking on-board sensors with privacy issues. Using data collected by mobile devices hardware tracking systems, the team was able to crack four digit PINs with 70-percent accuracy on the first try, with 100-percent accuracy by try number five.
While some applications alert users to specific on-board monitoring, its certainly not universal nor, for that matter, is any insight into how often that information is being accessed.
Having access to these sensors, either via the native apps, which you can install on your phone or a web application its not like they always ask permission, the papers lead researcher Dr. Maryam Mehrnezhad told TechCrunch. So, these sensors, which are related to your identity, like your microphone, camera or GPS, but for a lot of these new sensors, none of them ask for permission. And a lot of users dont know that the web application has access to it.
Hackers gaining access to that data can use it to determine a wide range of different activities, according to researchers, like whether the user is sitting, walking, or traveling in a car or train. The issue, according to the paper, is particularly troublesomewith regards to mobile browsers. A site accessed with malicious code can open the device up to such sensor-based monitoring working in the background when browser tabs are left open.
Dr. Mehrnezhad tells TechCrunch that the University has contacted some of the biggest names in the mobile industry about the issue. And while major players are aware of the problem, actually addressing itcould prove easier said than done.
All mobile platforms are aware of this problem, she says. We reported it to them, and ever since weve been in touch with them, weve been trying to fix this problem together. Its still ongoing research on both sides. But were in contact with these communities to figure out the best solution.
Mehrnezhad says the team has been in touch with the major players through the World Wide Web Consortium (W3C), and some, including Mozilla, have gone a ways toward addressing the issue. But theres still work to be done and a line to walk, between privacy and usability. Mobile companies will no doubt be hesitant to block access required for the functionality initially intended for the sensors.
The issue, Mehrnezhad adds, will only grow as connected devices become more prevalent through the growth of wearables and connected home products. Meantime, the team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use.