This article was first published as a part of the cover story in the February 2018 issue of Digit magazine. To read Digit’s articles first, subscribe here. You could also buy Digit’s previous issues here.
It is not always technical wizardry that results in a system getting pwnd. One by one, we are going to show you how all the security features on a smartphone can be compromised by physical attacks. All it takes is a little ingenuity and a knack for creatively working around obstacles, or jugaad as we know it.
Shoulder surfing is one of the oldest low tech hacking methods around. To compromise a system, all you need to do is look over the shoulders of the operator and track the login details getting typed out. As smartphones are used in public spaces, it is trivially simple to get the login details for say a net banking account. Keying in sensitive information in public spaces or while commuting, is as good as leaving the door open and going on vacation. Even if no one is actively out to do anything wrong, they may get the idea by just seeing you enter the information. If an iPhone thief comes to know your passcode before flicking the device, it’s game over for you. This is because the latest software update that Apple has rolled out, chooses convenience for the user, over security. The thief can change the password for the Apple ID, access the iCloud data and tackle the two-factor authentication easily as well. The thief can then remotely wipe the data of all your other Apple devices as well. Details of banking accounts, PINs, passwords to gaming apps, details for email accounts are all different kinds of sensitive information that you are better off not feeding into your smartphone in a public area.
Say a thief has stolen your device but does not know the PIN or unlocking pattern, there is still a method to access the device and disable the security measures, such as GPS tracking or remote wiping of data. Researchers from the University of Pennsylvania have demonstrated a technique which uses one of the fundamental side effects of touchscreen use. Human fingers have oily skin, and touchscreen use leaves behind smudges. The technique is known as a smudge attack and involves deciphering the password sequence by photographing the smudges on a device in the ideal lighting conditions. The smudges not only show which are the touchpoints of the password pattern, but also the swipe patterns. The attack method works even after using other apps on the same screen, and even after the screen has come into contact with clothing. The passwords are used so frequently, that the underlying patterns remain on the screen. The pattern passwords on Android devices are particularly susceptible to this kind of attack. The team is going on to study human approaches to pattern selection, as well as study the heat trails left on the screens by the movement of fingers, to further improve their methods.
While some of the newer devices have done away with fingerprint sensors, a number of phones still use the finger to authenticate access to a device. All an attacker needs to access the device is a high-resolution photo of your finger or a fingerprint lifted from one of the objects you have touched. This data can then be used to 3D print a high-resolution version of your finger, which can be used to access the device. A team of researchers from the Michigan State University have demonstrated the technique on all kinds of fingerprint sensors on phones – optical, capacitive and ultrasonic.
Facial recognition is another new biometric authentication feature in smartphones. OnePlus does not encourage using the facial recognition for sensitive applications, such as online payments. The FaceID on the Apple iPhone X has been fooled with a 3D printed mask of the person. The most sophisticated technologies in the world are susceptible to the extremely mundane attacks.