Smartwatches and fitness trackers can be easily exploited by cyber criminals to steal a user’s PIN number thanks to the motion sensing data it generates, warns a study conducted by a team from the department of electrical and computing engineering at the Stevens Institute of Technology and Binghamton University in New York State.
The team combined wearable sensor data harvested from more than 5,000 key entry traces made by 20 adults with an algorithm they created to infer key entry sequences based on analyzing hand movements, applying the technique to different types of keypads (including ATM-style and Qwerty keypad variants) and using three different wearables (two smartwatches and a nine-axis motion-tracking device).
The result? They were able to crack PINs with 80 percent accuracy on the first attempt and more than 90 percent accuracy after three tries.
"Wearable devices can be exploited. Attackers can reproduce the trajectories of the user's hand and recover secret key entries to ATM cash machines, electronic door locks, and keypad-controlled enterprise servers," said one of the researchers Yan Wang from Binghamton University.
Here is an excerpt from the research paper:
In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries. In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user’s hand between consecutive key entries regardless of the pose of the hand. Our Backward PIN-Sequence Inference algorithm exploits the inherent physical constraints between key entries to infer the complete user key entry sequence.
The attack method doesn’t require a hacker to be nearby when a person inputs his/her PIN, rather the necessary data packets could be stolen by a wireless sniffer placed close to a keypad to capture Bluetooth packets being sent from the wearable to a smartphone. Or via malware installed on the wearable or smartphone to intercept the data and send it on to the attacker.
And while most PIN numbers are just a handful of digits, the team believes the technique could actually be used to power a full keylogger. “This can be extended to snoop keystrokes and interpret people’s passwords or what has been typed,” professor Yingying Chen, another of the researchers involved in the project, told TechCrunch. “We have another research project about this.”
Chan and Chen do have a solution for the same. One way to avoid the risk of your smartwatch or fitness bangle leaking your PIN to a determined hacker is to input the digits with your other, non-wearable-wearing hand. Chen confirmed this would prevent the technique from working.
An alternative strategy for those who do wear a wearable on the hand they enter PINs and passwords is to add some ‘noise’ to the operation — by randomly jerking their hand between key presses, said Wang.
Fixing the vulnerability at source would require wearable manufacturers to better secure sensing data being generated by the devices, according to Wang.He added they could also obscure the signal being leaked by the sensors by injecting noise into the data so it could not be so easily reverse engineered.