a photo of a man on. his smartphon entering a pin code

Your phone's pin code can be hacked using its own sensors

Researchers have found a new way to crack into a smartphone — using the device's sensors.

Recording how an Android smartphone reacts when buttons are pushed to enter a pin code, researchers at Nanyang Technology University, Singapore (NTU Singapore) found that information could point to specific numbers. That detail then worked to unlock phones—99.5 percent of the time within three attempts.

Recording three people entering 70 four-digit number sequences randomly, researchers then applied machine learning to the data to predict the pin codes for the Android smartphones. The team tapped six sensors, including the accelerometer, gyroscope, barometer, ambient light sensor, magnetometer, and proximity sensor. The researchers noted that the accelerometer and the gyroscope provided the best information.

Monitoring data from an Android phone's six sensors, researchers guessed a four-digit code with near 100 percent accuracyNTU Singapore

"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9," says Shivam Bhasin, the lead researcher on the project.

Previously, researchers at Newcastle University in the UK were able to accurately predict a smartphone's pin codes using sensors about 70 percent of the time. Researchers at NTU Singapore say they've upped that — hitting 10,000 four-digit combinations every time.

Malicious apps installed on smartphones and recording this sensor data could theoretically use the information to hack into devices. NTU Singapore researchers suggest using pin codes with more than four digits and backup systems such as facial or fingerprint authentication. But ultimately, they warn that smartphone makers must find new ways to lock down data that can be retrieved from sensors.

"Limiting the maximum operating frequency of the sensors can reduce the attack feasibility," researchers write in their paper. "Alternatively, disabling sensors while sensitive operations like PIN entry can also prevent such attacks. However, these are just temporary fixes, and smartphone sensor access must be rethought, in general."