Under the right conditions, hackers could theoretically exploit a built-in feature in smartphones to steal passwords and PINs, and it all comes down to the tilt users employ and the way they type, the Guardian reports. In a study published in the International Journal of Information Security, Newcastle University researchers note that most smart devices today come crammed with various sensors, from GPS to orientation and rotation features, but malicious sites and apps don't need to get user permission to gain access to many of these sensors—meaning they may "covertly 'listen in' on your sensor data," and from there pick up on your "touch actions," such as the PINs and passwords you type in, computer science expert Maryam Mehrnezhad says in a press release.
The way users clicked, scrolled, and tapped on the devices, as well as the way they held them, resulted in a "unique orientation and motion trace," which allowed researchers to figure out what a user was typing on certain websites. Co-author Siamak Shahandashti compares it to a jigsaw puzzle: "The more pieces you put together, the easier it is to see the picture." In the end, the scientists hit a 70% accuracy rate on the first try when trying to figure out users' four-digit PINs; that number jumped to 100% after five tries. The researchers, who have informed Google and Apple of their findings, note that most users are more concerned about hackers gaining access to tools like a phone's camera or GPS, but this study shows there is reason to be concerned about a device's seemingly innocuous sensors as well. (Snowden's plan for "compromised" phones.)