In the first try, they achieved an accuracy rate of 74%. By the third try, accuracy rate rose to 94%. And by the fifth try, accuracy rate reached 100%.
The hack works based on the principle that smartphone web browsers share data with websites that ask for it. Even if access to sensitive information (ex. location or access to sensors such as the device’s microphone or camera) requires explicit permission from the user, an infected website can ask for seemingly trivial information (ex. device orientation, screen size) and be given access to it without notifying the user because it’s needed to make webpages responsive and interactive.
The team identified 25 different sensors that were standard features on majority of smart devices, and these were used to provide different kinds of information about the device and its owner. Apparently, everything a user does — whether it’s clicking, holding, scrolling or tapping — produces a distinct orientation that differentiates the way each person uses his/her phone.
According to Dr. Maryam Mehrnezhad, one of the researchers: “On some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open [another one], then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.”
They also noted that phone owners were ‘far more concerned about the camera and GPS than they were about the silent sensors’, which is what makes the ‘hack’ look so innocent.
As a result, the team was able to deduce which part of a specific web page a user was clicking on and what he/she was typing.
And while they have already warned tech companies like Apple (NASDAQ:AAPL) and Google (NASDAQ:GOOGL) about the risks, so far, no definite answer or concrete resolution has been provided. This partly because there is no uniform way of managing sensors across the industry. Unless someone figures out a fast and more effective way of handing them, then the threat will always be there.
The findings were recently published in the International Journal of Information Security.