PIN Skimmer: Inferring PINs Through The Camera and Microphone | Simon, Anderson

Laurent Simon, Ross Anderson; PIN Skimmer: Inferring PINs Through The Camera and Microphone; In Proceedings of 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM); 2013-11-08; 12 pages.


Today’s smartphones provide services and uses that required a panoply of dedicated devices not so long ago. With them, we listen to music, play games or chat with our friends; but we also read our corporate email and documents, manage our online banking; and we have started to use them directly as a means of payment. In this paper, we aim to raise awareness of side-channel attacks even when strong isolation protects sensitive applications. Previous works have studied the use of the phone accelerometer and gyroscope as side channel data to infer PINs. Here, we describe a new side-channel attack that makes use of the video camera and microphone to infer PINs entered on a number-only soft keyboard on a smartphone. The microphone is used to detect touch events, while the camera is used to estimate the smartphone’s orientation, and correlate it to the position of the digit tapped by the user. We present the design, implementation and early evaluation of PIN Skimmer, which has a mobile application and a server component. The mobile application collects touch-event orientation patterns and later uses learnt patterns to infer PINs entered in a sensitive application. When selecting from a test set of 50 4-digit PINs, PIN Skimmer correctly infers more than 30% of PINs after 2 attempts, and more than 50% of PINs after 5 attempts on android-powered Nexus S and Galaxy S3 phones. When selecting from a set of 200 8-digit PINs, PIN Skimmer correctly infers about 45% of the PINs after 5 attempts and 60% after 10 attempts. It turns out to be difficult to prevent such side-channel attacks, so we provide guidelines for developers to mitigate present and future side-channel attacks on PIN input.


  • Samsung KNOX
  • BlackBerry Enterprise Service 10
  • Xen project
  • Okl4 microvisor Open kernel labs.
  • Trustzone: ARM
  • Google Play
  • App store for Android,
  • Alcatel club games free download of games for Android.
  • Gfan
  • eoemarket
  • T. Anscombe; Social engineering still biggest threat to consumers; In Their Blog; 2012-07.
  • R. Naraine; Android drive-by download attack via phishing sms; In ZDNet; 2012-02.
  • D. Goodin; Android users targeted in drive-by download attacks; In Ars Technica; 2012-05.
  • J. Leyden; That square qr barcode on the poster? check it’s not a sticker; In The Register; 2012-12.
  • California prosecutors push for anti-phone theft moves; undated.
  • J. Davenport, W. Gant; iphone muggers on bikes plague london; In The Standard; 2012-11.
  • S. Das, L. Green, B. Perez, and M. Murphy, “Detecting User Activities Using the Accelerometer on Android Smartphones,” 2010.
  • R. Templeman, Z. Rahman, D. Crandall, and A. Kapadia, “PlaceRaider: Virtual theft in physical spaces with smartphones”; In Proceedings of The 20th Annual Network and Distributed System Security Symposium (NDSS); 2013-02.
  • Facetime “The easiest way to call face-to-face.”
  • Skype “Video chat – free online video calls – video calling – skype.”
  • Tor project
  • L. Constantin; Pushdo botnet is evolving, becomes more resilient to takedown attempts; In PC World; 2013-05.
  • “Rageagaisntthecage.”
  • Giesecke, Devrient; Creating Confidence
  • Z. Yaniv; Random Sample Consensus (RANSAC) Algorithm, A Generic Implementation; 2010-10.
  • G. Roth; Homography; Lecture Notes, Comp 4900d; Carleton University, 2013.
  • OpenCv; Willow Garage
  • A. Zisserman; The SVM classifier; Lecture 2; Oxford University; 2013.
  • LibSvm A Library for Support Vector Machines.
  • Weka 3: Data mining software in Java.
  • J. Bonneau, S. Preibusch, and R. Anderson, “A birthday present every eleven wallets? The security of customer-chosen banking PINs”; In Proceedings of FC ’12: The 16th International Conference on Financial Cryptography and Data Security; 2012-03.
  • J. Koetsier; “Pin Analysis”; 2013-09.
  • Alertdialog; In Android Developers Documentation
  • Sensor; In Android Developers Documentation.
  • C. Cachin, Entropy measures and unconditional security in cryptography; PhD Thesis, ETH Zurich, 1997.
  • S. Brostoff and M. A. Sasse, ““ten strikes and you’re out”: Increasing the number of login attempts can improve password usability”; In Proceedings of the CHI Workshop on HCI and Security Systems; John Wiley; 2003.
  • F. Stajano, “Pico: no more passwords!,” in Proceedings of the 19th International Conference on Security Protocols (SP’11); Berlin, Heidelberg; pp. 49–81, Springer-Verlag, 2011.
  • O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos, “Progressive authentication: deciding when to authenticate on mobile phones”; In Proceedings of the 21st USENIX conference on Security Symposium (Security’12); Berkeley, CA, USA; pp. 15–15, USENIX Association, 2012.
  • S. Maggi, A. Volpatto, S. Gasparini, G. Boracchi, and S. Zanero, “Poster: fast, automatic iphone shoulder surfing,” in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS ’11); New York, NY, USA; pp. 805–808, ACM, 2011.
  • R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm; “ispy: automatic reconstruction of typed input from compromising reflections”; In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS ’11); New York, NY, USA; pp. 527–536, ACM; 2011.
  • A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, “Smudge attacks on smartphone touch screens,” in Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT’10, pp. 1–7, USENIX Association, 2010.
  • P. Marquardt, A. Verma, H. Carter, and P. Traynor, “(sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers,” in Proceedings of the 18th ACM conference on Computer and communications security, CCS ’11, (New York, NY, USA), pp. 551–562, ACM, 2011.
  • Z. Xu, K. Bai, and S. Zhu, “Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors” In Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC ’12); New York, NY, USA; pp. 113–124, ACM; 2012.
  • L. Cai and H. Chen, “Touchlogger: inferring keystrokes on touch screen from smartphone motion”; In Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec’11); Berkeley, CA, USA; pp. 9–9, USENIX Association; 2011.
  • L. Cai and H. Chen, “On the practicality of motion based keystroke inference attack”; In Proceedings of the 5th international conference on Trust and Trustworthy Computing (TRUST’12); Berlin, Heidelberg; pp. 273–290, Springer-Verlag; 2012.
  • A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith, “Practicality of accelerometer side channels on smartphones”; In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC ’12); New York, NY, USA; pp. 41–50, ACM; 2012.
  • E. Miluzzo, A. Varshavsky, S. Balakrishnan, R. R. Choudhury; “Tapprints: your finger taps have fingerprints”; In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys ’12); New York, NY, USA; pp. 323–336, ACM; 2012.

Via: backfill, backfill


Docker Logo


  • Linux
  • lxc, Linux Container management scripts.
  • AuFS, a copy-on-write union filesystem.
  • Go, a programming language.
  • Ubuntu is the “native culture”, all others use an Ubuntu VM.