Today we’re presenting a new side-channel attack in PIN Skimmer: Inferring PINs Through The Camera and Microphone at SPSM 2013. We found that software on your smartphone can work out what PIN you’re entering by watching your face through the camera and listening for the clicks as you type. Previous researchers had shown how to work out PINs using the gyro and accelerometer; we found that the camera works about as well. We watch how your face appears to move as you jiggle your phone by typing.
There are implications for the design of electronic wallets using mechanisms such as Trustzone which enable some apps to run in a more secure sandbox. Such systems try to prevent sensitive data such as bank credentials being stolen by malware. Our work shows it’s not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you’d better lock down the video camera, and the still camera too while you’re at it. (Our attack can use the still camera in burst mode.)
We suggest ways in which mobile phone operating systems might mitigate the risks. Meanwhile, if you’re developing payment apps, you’d better be aware that these risks exist.
So start randomizing the placement of the numbers on the keypad.
How, if the sound of clicking is suppressed by the wallett app to remove the cues as to inputting, would this diminish the effectiveness of the attack?
@JD: I’m guessing not much: Even without the auditory cue, you could still tell when the user touches a “key” by a sudden jerking of the visual image.
I’m also guessing that this attack might be just as effective using the rear camera as the front. Unless the phone is resting on a solid surface, my guess is that the back of the phone would see a convenient image of a relatively static environment more conducive to edge-detection than a human face.
The idea of randomizing the position of the buttons is addressed in the paper. It hurts usability.
Security hurts usability. Period. It would be even more convenient to log in without a pin at all.