Smartwatches, fitness trackers and other wearable devices may be giving away your bank PIN, new research has warned. Researchers at Bingham University, New York claim that data from sensors embedded in wearable devices can be used to track hand movements which, when combined with computer algorithms, can be used to crack passwords with more than 90% accuracy.
Scientists at the university found that accelerometers, gyroscopes and magnetometers contained in wearable devices could potentially be targeted by hackers to track movement data. This data could then be reproduced to track the trajectory of users' hand movements at cashpoints, electronic door locks and similar keypad-based control systems to ascertain the access code.
Such an attack could be carried out in two ways, known as "internal" and "sniffing" attacks. In the first scenario, hackers could access the device sensors through malware, which sends back data when the victim enters a PIN or password. A "sniffing" attack would involve placing a device used for intercepting data over a wireless network near a keypad-based security system, which would then "eavesdrop" on the wearable's sensor data and send it back to the attacker via Bluetooth.
To demonstrate their theory, the researchers conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of wearable devices. The team was able to record "millimetre-level" hand movement information from the device sensors, providing the team with those measurements for distance and direction estimations between keystrokes.
This was then passed through the scientists' Backward PIN-sequence Inference Algorithm, which they say was able to break codes "with alarming accuracy without context clues about the keypad". So accurate, in fact, that the team claims the algorithm was able to guess passwords with 80% accuracy on the first try and more than 90% accuracy after three tries.
Yan Wang, assistant professor of computer science at Binghamton University and co-author of the study, said that while the threat was a real one, such attacks were "sophisticated", meaning they would need a high degree of technical know-how to carry out successfully.
The researchers hope the findings will offer an early step in understanding security vulnerabilities of wearables. While they haven't proposed a solution to the vulnerability, they suggested that some sort of interference could be applied to movement data in wearable devices so that minute hand movements cannot be tracked, but still makes them useful for tracking fitness activity.
In another study on device security this week, researchers in the US demonstrated how smartphones could potentially be hijacked using voice commands hidden in YouTube videos.