Mere tilt of your phone could cost you security

The latest vulnerability lurking in your smartphone — that gadget with the keys to credit cards and a mountain of private information — may rest in how you hold it. Or at least the tiny movements it picks up while you type on it.

How the GPS, accelerometer, gyroscope and other miniaturized wonders monitor the movement of the phone could reveal the Personal Identification Numbers, or PINs, and passwords you punch in.

Eureka Alert, a news service of the American Association for the Advancement of Science, reports that researchers at New Castle University in the United Kingdom have analyzed the information revealed simply by how you move your phone.

With 70 percent accuracy in the first guess, and 100 percent accuracy by the fifth guess, the researchers say the way users tap in a PIN or password might reveal to malicious hackers what they’ve just typed.

That’s a window into what takes place on a smartphone, potentially opening a door to your credit card or bank accounts. The same sensors that make mobile gaming and fitness tracking possible in your palm — to shoot zombies or count the steps you take in a day — chart how the phone is moving.

For instance, tap 1,1,1 on a dialing key pad and it’s likely to tilt ever so slightly somewhat up and to the left. Type 9,9,9 and the device tends to tilt down and to the right. Algorithms tracking the multiple sensors on your phone, the researchers suggest, can reliably pick up on the subtle differences to decipher your passwords and PINs.

“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC (near field communication), and rotation sensors and accelerometer,” said Maryam Mehrnezhad, a research fellow in the School of Computing Science at New Castle and lead author on the paper.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.”

People typically worry about the privacy leaks that might come through someone commandeering your phone’s camera or microphone. Legitimate concerns. But the researchers wrote that the less obvious sensors in handsets also pick not just your location, but how you handle the phone.

In the paper, the researchers experimented “recording the mobile device’s orientation and motion sensor data through JavaScript code. …

“Given the results in our user studies, designing a practical solution for this problem does not seem to be straightforward.”

Short-term lesson: Set your phone on the counter when you type in secret codes. Long-term lesson: We are doomed.