There’s so much personal information stored on your smartphone, locking it is just as natural as locking your house or car. But just like any physical lock could be an easy job for a skillful burglar, stealing your PIN is easy for hackers. And they don’t even have to look over your shoulder.
Most people prefer using PINs to lock their phones instead of passwords because it is just more convenient. Filling in a complex ten-character passphrase every time your phone locks could be annoying. Even if said password offers much more security than a four-digit PIN. Remembering the latter is much easier.
How attackers can steal your PIN
PINs are also easier to break than passwords. Having four digits means there are just 10,000 combinations – and even fewer if the PIN is a date (which is what people usually use). But there are also many methods hackers can use that don’t have to leave them guessing (or brute-forcing, as the cybersecurity term goes). Here are a few inventive ways that have made the headlines in recent days to give you an idea:
- Using thermal imaging cameras. When you fill in your PIN, your fingers leave traces of heat on the screen. Researchers from the Stuttgart University have a demonstrated that a picture taken with a camera set to capture temperatures between 66 and 90 °F up to 30 seconds after can be enough to reproduce your PIN. When you type, your fingers leave heat signatures on the places where you touched the screen, and the size and brightness of the spots can give away the order you filled the digits in.
- Analyzing the movements of your phone. Every time you type anything into your device, you tilt it a bit – and each movement is slightly different, depending on where you press the screen. Your device has plenty of sensors that can detect these shifts. These sensors are also accessible to every malicious app, and even malicious websites that you have opened on your device. Researchers from Newcastle University have demonstrated that such an attack has a 74% accuracy at the first guess – and 100% at the fifth one.
- Studying the signals between your device and a Wi-Fi hotspot. Router antennas make small adjustments to their position depending on where your device is located to guarantee better reception. This also means the router can track the device by detecting subtle changes in the signal coming from it. This can also be used to track your hand’s movement on the screen. Attackers can use the method to capture a PIN, a lock pattern, and a password – anything your hand does on the screen.
The above are just examples. There are many other ways hackers can steal a password. It doesn’t even have to be that complex – it could take just a guy standing next to you and looking at your hands, or examining the fingertip marks left on your screen (there would be small dots on the spots that you press most frequently).
There is a way to counter those attacks
Secure Group well aware that attacks like the one described above are yet another thing our users should be prepared for. And there is a rather easy solution to counter them. We have designed our products so that every time you have to enter a PIN into them, the numeric keyboard is scrambled in a different way. The numbers you have to fill in are always at different places, so the attacks that track your hand movements will make no sense – you will be touching different parts of the screen every time you fill in identical PINs. Even repeat observation of your movements will not work, as the numbers are reordered in a different way every time. There is no pattern.
This feature is available for every instance where you have to fill in a PIN in all our products. You have the option to use a one to lock your screen on Secure Phone (although a password is the recommended method), and you use a four-digit PIN to hide contacts and conversations in Secure Chat. When you set any of these PINs for the first time, the keyboard is the default, regularly ordered one. Then, after you are finished filling it in and confirming it, every subsequent time when you will have to fill in the PIN the keyboard will be reordered.