Guessing Your PIN Right: Unlocking Smartphones with Publicly Available Sensor Data

Abstract

Modern day smartphones act as daily companions playing a crucial role in tasks far beyond communication. Equipped with various motion and health sensors, private information is continuously processed, while it can be accessed without asking for special permission. In this paper, we show how the permissionless sensor data can be used to reconstruct one's secret PIN for unlocking the phone or gaining access to one's bank account. Harvesting the power of machine learning algorithms, we present a practical attack able to classify all 10,000 possible PIN combinations. Results show up to 83.7% success within 20 tries. Compared to state of the art reporting 74% success on a reduced space of 50 chosen PINs, we report 99.5% success with a single try in a similar setting.