A team of researchers from the United Kingdom’s Newcastle University have demonstrated how criminals could steal your passcode simply by tracking the motion of your phone. Don’t worry, Apple issued patches last year to prevent anyone from collecting sensor data, but Android users remain at risk of having their passcodes stolen if they visit a rogue website or tap a malware link. Although Google is aware of the issue, they’re still looking into a fix.

The method relies on detecting the way a user tilts his or her phone when typing in the information. Malicious programs hosted on websites or injected into legitimate apps can covertly listen in on data collected by your phone’s numerous internal sensors and use it to discover a wide range of sensitive information about you.

And with a little bit of help from advanced machine learning algorithms, the method Newcastle University’s researchers presented can even crack four-digit PINs with a 70 percent accuracy on the first guess and 100 percent by the fifth guess.

TIP: Secure your iOS devices with 6-digit passcode

Each person’s phone creates distinct movement patterns.

To understand these patterns, researchers have trained an artificial neural network with data collected from people who type in passcodes to access various accounts.

According to lead author Dr. Maryam Mehrnezhad:

Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

Researchers are now assessing if motion data produced by fitness trackers and wearable devices like Apple Watch—including data about the slightest wrist movements as well as general physical activities such as sitting, walking, running and different forms of commute—could pose a risk to your privacy.

As mentioned, Apple issued a patch for this last year as part of iOS 9.3.

If you’d like to learn more about the vulnerability, read the white paper.

Source: Newcastle University (1), (2) via Engadget