OFFICIAL SECURITY BLOG
November 14, 2013 | BY Armando Orozco
Mobile devices have become targets for malware and researchers alike, the latest news is on how our devices can be exploited to capture PIN codes. Researchers Laurent Simon and Ross Anderson from the University of Cambridge have created an app, PIN Skimmer, using the camera and microphone to capture the codes.
Malware comes in a lot of different forms and at times they aren’t always created by the bad guys, but done as a proof-of-concept (POC) by developers and security researchers. These projects aren’t necessarily done to poke holes in their least favorite software, but to gain an understanding of ways they are vulnerable.
Often times they are useful to the owners of the software platform as they are provided with loopholes that were overlooked. The downside, is at times, the guys on the dark side will use it to exploit us. Most often than not, on mobile platforms thus far, most POCs haven’t been exploited to target users. Too much work and variables involved, plus no profit model—they usually can’t make a quick buck on things like this.
This particular POC comes as an app that would need to be installed on an Android device, with root, and a device running two or more operating systems. The malicious app will also need access to the front camera, microphone and other sensors to collect data to feed its algorithms.
With access to the microphone, PIN Skimmer can track screen touches, which requires the device to have key press vibration enabled, and when a key press is detected that data is stored. Using the OK button, of a lock screen, as a reference point it will attempt to map out key locations on the screen.
The camera piece involves tracking eye movements to identify what numbers have been pressed. Most keypads use the typical left to right, one to zero layout, so based on where you’re looking on the screen, along with the key press data, they can attempt to predict the PIN code.
The success rate of PIN Skimmer was pretty decent with 30 percent accuracy on 4-digit PINs after five attempts and surprisingly increasing in accuracy with longer PINs, above 45 percent on 8-digit PINs, as more data is collected with longer PINs.
Of course there is a lot more to how PIN Skimmer works, you can read more about Laurent and Ross’ research in their white paper here.
Malware authors aren’t going to care about our screen lock PIN codes, as they are likely thousands of miles away, but they do want access to our bank accounts. It’s feasible something like this could make it into the wild and be a real threat.
Commercially, what I could see happening is someone using such techniques to make a surveillance app available for purchase. There are already hundreds of surveillance type apps available, why not add an additional feature of capturing PIN codes. Which would make it a bigger threat in the wild as the malicious code could be reused.
I’ve always appreciated this type of in-depth research, I just hope the bad guys don’t get a hold of their work.