PINLogger: How does this exploit steal PINs?

Researchers from Newcastle University demonstrated a drive-by keylogger exploit known as PINLogger that uses mobile device sensors to guess four-digit PINs, which are then used to unlock devices or as part of two-factor authentication. The attack can be carried out when a user enters a PIN on their smartphone while a malicious webpage is open. How does this exploit work? Are there any browser or device protections that can stop such attacks?

New privacy and security risks require careful evaluation by multidisciplinary experts, end users and enterprises. When these risks involve new technology, fear, uncertainty and doubt frequently dominate the analysis.

For consumers, the risks may be worth it for the new functionality. The potential risks don't stop widespread adoption, nor should they, but people should at least be aware that there are unknown risks attached to new systems.

Side-channel attacks are among the most complex risks to evaluate. Side-channel attacks that exploit power consumption and accelerometer sensors for tracking have gotten some attention, but require the installation of applications on the targeted endpoint. These attacks are growing more sophisticated on mobile devices, as the multitude of sensors, data and access add to the complexity.

New research from Newcastle University demonstrated a drive-by exploit using a side-channel attack known as PINLogger that does not require installing an app on the endpoint, lowering the bar for the attacks. The attack can detect when PINs are being entered on a device, and then steal them.

However, the attack depends on several conditions: having a web browser on a mobile device that supports JavaScript, as well as web APIs that can access onboard sensors, and a user who keeps an attacker's malicious webpage open during an attack.

These web APIs are able to detect privacy-sensitive data, like device location, but more importantly, they can be used to determine when a PIN is being entered on a device. The PINLogger attack uses machine learning and a neural network to analyze sensor data to determine when a PIN is being entered, as well as the actual PIN.

The researchers recommended a number of mitigations for this keylogger attack, including restricting access to sensors or changing the fidelity of the data collected. Other recommendations include the following:

• Do not fire events when the page on which they were registered is not visible or has been backgrounded.
• Fire events only on the top-level browsing context or nested iframes of the same origin.
• Limit the frequency of events -- typically, 60 Hz is sufficient.

Providing an end user with notifications and control over sensors when they are accessed could improve awareness, but users will need usable guidance on what action to take.

Something the researchers didn't suggest is that noise could potentially be added without impacting an individual's actual use of a sensor. Disabling the sensors may not be possible on a device, and it may result in the loss of desired functionality. Using a browser without this functionality for general web browsing may minimize the risk of an attack.

Research like this helps advance awareness of the risks of keylogger attacks and improves users' expectations. The researchers also noted that the risks will only get more complex as new sensors are added, access to sensors is expanded, and new data becomes available from internet of things devices.

Additional research on human factors in information security will help improve the state of information security and help to identify how these risks can be communicated to standard users. Including expectations of information security and privacy in the development of new standards can ensure that the issues are included.