Machine Learning for PIN Side-Channel Attacks Based on Smartphone Motion Sensors

Abstract

Motion sensors are integrated into all mobile devices, providing information useful for several purposes. However, these sensor data can be read by any application and by websites accessed through a browser, without requiring security permissions. In this paper, we show that information about smartphone movements can lead to the identification of a Personal Identification Number (PIN) tapped by the user. To reduce the amount of sniffed data, we use an event-driven approach, where motion sensors are sampled only when a key is pressed. The acquired data are used to train a machine learning algorithm for the classification of the keystrokes in a supervised manner. We also consider that users insert the same PIN each time authentication is required, leading to further side-channel information available to the attacker. Numerical results show the feasibility of cyber-attacks based on motion sensors. For example, 4-digit PINs are correctly recognized at the first attempt with an accuracy of 37%, and in five attempts with an accuracy of 63%.