QIF-T0087

high

Accelerometer keystroke inference (touchscreen tap localization for PIN/password recovery)

Tier 2 — Validated (Independently Replicated)

Legacy status: CONFIRMED

When a user taps on a touchscreen, the phone tilts slightly depending on the tap location relative to the device's center of mass. The accelerometer and gyroscope capture these micro-tilts, and the pattern differs for each key position on the virtual keyboard. Owusu et al. (2012) demonstrated 4-digit PIN recovery from accelerometer data alone, and Miluzzo et al. (2012) showed that tap signatures are consistent enough for user identification. The attack works because: (1) different screen positions produce distinct tilt vectors, (2) typing rhythm provides temporal constraints, and (3) language models constrain character sequences. Combined with acoustic keystroke inference (T0083), the multi-modal approach achieves near-perfect accuracy. Since motion sensor access traditionally required no permission, any app could silently capture PIN entry.

Technique Details

Tactic: QIF-S.HV
Status: CONFIRMED
Bands: S1, S2, S3

✚ Therapeutic Application

Accelerometer and gyroscope capture micro-tilt patterns from touchscreen taps; ML models localize tap positions to recover PINs, passwords, and typed text

Neural Impact

3 of 7 neural bands affected

S1 S2 S3

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:N/CD:N/CV:I/RV:F/NP:N

CVSS v4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

2.0Low

Governance

Neurorights at Risk

This technique threatens 1 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy

Consent Complexity

0.12 / 4.0

FDORA §3305 Compliance

Cyber Device

Regulatory Coverage

0.5 / 1.0

524B Requirements

TM VA SBOM SA PM

Regulatory Gaps

! No FDA pathway for consumer sensor exploitation
! Software-only attack without software lifecycle standard (IEC 62304)

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population	NISS Base	Adjusted	Severity	Delta
Adult (Default)	2.0	2.0	Low	-
Child (10yr) + ADHD	2.0	2.4	Low	+0.35
Adult with ALS	2.0	2.3	Low	+0.32

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub