Last year Apple patched iOS after cyber researchers from the UK demonstrated that a malicious webpage could use iPhone sensors to detect a passcode. The technique was so accurate that the team had a 100% success rate at working out 4-digit PINs within five attempts, reports Engadget.
You might think your phone’s movements are random, but they apparently create distinct patterns. During their tests, they were able to crack four-digit PINs on the first guess 70 percent of the time and 100 percent of the PINs they used by the fifth guess.
The attack vector was made possible, explained the study’s lead author Dr. Maryam Mehrnezhad, because mobile apps and websites were able to access sensor data without permission …
Because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.
More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.
The team reports that Apple issued a patch to prevent the unauthorised collection of sensor data after the team presented its findings to the company. The fix was part of iOS 9.3.
Google said that it is aware of the issue, but does not yet have a fix. You can read the paper here.