Cambridge security researchers have been hacking smartphone passwords using the devices' own cameras and microphones. Laurent Simon and Ross Anderson at the University of Cambridge used an app they called "PIN Skimmer" to capture passwords as they were entered into a Samsung Galaxy S3 and a Google Nexus S, both of which use number-only soft keyboards.
The PIN Skimmer can tell when you're tapping keys by "listening" to clicks via the phone's microphone. It correlates this with a recording of your face through the camera, then analyzes how the orientation of the phone changes from tap to tap. That tells it which part of the screen you're touching—i.e. which number you're pressing.
This kind of attack is known as a "side channel attack," which means it uses the physical properties of the phone. According to the researchers' paper, previous studies have used a phone's accelerometer and gyroscope to collect PINs, but theirs is the first to work with the camera and microphone. When they tested PIN Skimmer with a set of 50 potential four-digit passwords, they found it correctly inferred 30 percent of PINs after two attempts, and more than 50 percent after five attempts. It's worth keeping in mind an iPhone lets you have ten attempts to get your code right. "It did surprise us how well it worked," Anderson, one of the study's authors, told the BBC.
You might argue that a set of 50 PINs is hardly realistic of the infinite number combinations people could choose to lock their phones. That's true in theory, but the researchers point out that most people don't choose their passwords randomly, and the 20 most common four-digit PINs represent about 27 percent of user-selected PINs. If you're still using 1-2-3-4, it might be time for a change.
And using a longer PIN (if your phone allows it) is also no great help against the PIN Skimmer program. In fact, when test sets of 200 passwords were used, it correctly guessed more eight-digit PINs than four-digit PINs after five attempts. That's because the longer the PIN, the more information the program has to work with, and the less likely it is to confuse one password with another.