If you don’t trust wearable devices, then you weren’t being paranoid as new research proved how smartwatches and fitness trackers, which are recording your movements, can be exploited by attackers to steal your ATM PIN or password.
Yan Wang, an assistant professor of computer science at the Thomas J. Watson School of Engineering and Applied Science at Binghamton University, won’t wear a smart watch. “It knows too much,” he told IEEE Spectrum.
Wang should know. When he was a graduate student at the Stevens Institute of Technology he was one of five researchers on a team lead by Yingying Chen who developed a technique which combined data from embedded sensors in wearables with an algorithm; it could crack PINS and passwords with an 80% accuracy in just one try. After three tries, they achieved a 90% accuracy.
He admitted, “At the beginning, I thought this would be science fiction, but it can actually be done. There are just so many sensors on these wearable devices. It provides sufficient information of your hand movements.”
Over an 11-month period, the researchers ran 5,000 key-entry tests on three key-based security systems; they determined there is a “serious security breach of wearable devices in the context of divulging secret information (i.e., key entries).”
By using data from “accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” the researchers could record a hand’s fine-grained movements. Then they used their “Backward PIN-sequence Inference Algorithm” to crack the codes with “alarming accuracy.” This is the first technique to reveal personal PINs using wearable devices without needing contextual clues about the keypad.
The research paper, “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” won “Best Paper Award” at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security.
“Wearable devices can be exploited,” Wang warned.
According to the Binghamton University news release, Wang added:
“The threat is real, although the approach is sophisticated. There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim's PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”
There are not enough robust security measures in wearables and the researchers did not come up with a solution to the problem. They suggested better encryption between wearable devices and host operating systems. They also believe developers could “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”
If you don’t want to give up your wearable, but you also don’t want it spying on your PIN and passwords, then Wang advised moving your hand around randomly in-between key clicks when entering your PIN as that would mask the data. “It may look weird, but it helps,” he said. “If you’re just moving from key to key, we can track that.”