Researchers at Nanyang Technological University in Singapore have developed a "deep-learning" for cracking into smart phones running the Android OS which has a "99.5 percent" effective rate after only three attempts, according to a new study reported by the Daily Mail.
The method uses an algorithm to reveal a person's passcode using the phone's six built-in sensors, which analyzes the unique tilt of the phone and how much light is being blocked while a person enters their four-digit pin.
Co-author of the study Dr Shivam Bhasin from Nanyang Technological University, Singapore (NTU Singapore) said: 'When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different.
'Likewise, pressing 1 with your right thumb will block more light than if you pressed 9.' -Daily Mail
Researchers developed a custom Android application which analyzes data from a phone's accelerometer, gyroscope, magnetometer, proximity sensor, barometer and ambient light sensor - in a method which can be used to guess all 10,000 possible combinations of four-digit PINs.
As people "trained" the algorithm by entering more and more random PIN numbers, the app's success rate went up.
Although everyone enters their PIN differently, the scientists showed that as data from more people is fed to the algorithm over time, success rates improved.
This means that while a malicious application may not be able to correctly guess a PIN immediately after installation, it could collect data from thousands of users and then launch an attack once it has learnt their behaviours.
The algorithm was trained with data collected from three people, who each entered a random set of 70 four-digit pin numbers on a phone, which recorded their entries.
Scientists are worried that this method can be used by hackers who develop malicious apps to get through a user's security. Imagine downloading a seemingly innocuous program for your four-year-old to keep them quiet during dinner, only to have been surreptitiously been infected with PIN-cracking malware?
To avoid this type of technique, Dr. Bhasin advises that users restrict access to their phone's sensors, and use a PIN that's longer than four digits - as well as two-factor authentication and fingerprint recognition.
According to the Daily Mail, Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU Singapore, said this study shows how devices with seemingly strong security systems can be attacked using malicious applications to spy on user behavior.
"Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a user's behaviour," said Lip adding
"This has significant privacy implications that both individuals and enterprises should pay urgent attention to."