By downloading the wrong apps, you’re giving malicious hackers access to a wide variety of personal resources, but did you know, they can also extract your PIN Code with your phone’s camera? Security researchers at the University of Cambridge have determined that smartphone cameras can be used to extract private PIN Code from users.
Let’s say you’ve installed a malicious app that can take videos of you using your own smartphone camera. Here’s how they can infer your PIN Code:
By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.
Researchers use image frames form video capture to determine orientation changes from frame to frame. With multiple videos, the probability of a precise guess increases. After five attempts, hackers can correctly guess over half of the security codes. Even with 8-digit codes, the malware can correctly guess 45% of the PINs after five attempts.
To prevent hackers from using the camera to obtain personal PINS, the researchers suggests app developers also prevent malware from taking control of the camera’s functions:
Our work shows it’s not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you’d better lock down the video camera, and the still camera too while you’re at it. (Our attack can use the still camera in burst mode.)
We suggest ways in which mobile phone operating systems might mitigate the risks. Meanwhile, if you’re developing payment apps, you’d better be aware that these risks exist.