Smartwatches or fitness trackers can give away your passwords and PIN numbers to hackers, according to scientists, who for the first time combined data from the embedded sensors found in wrist-worn wearables, such as smartwatches and fitness trackers to crack private PINs with up to 90 per cent accuracy.
The researchers from Binghamton University and the Stevens Institute of Technology in the US have developed a proprietary computer algorithm that can guess PINs and passwords with remarkable accuracy based solely on motion data to match them with the layout of typical key entry pads.
In doing so, they were able to successfully crack private PINs and passwords with 80-percent accuracy on the first try and that figure climbed to more than 90-percent accuracy after three tries.
Yan Wang, assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton University and a co-author of the study Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” said wearables can be can be exploited with the right equipment which allows hackers uncover more or less any secret combination by reproducing the trajectories of what the wearer has manually entered on a keypad to recover the sequence of buttons pressed at an ATM or electronic door lock. Even passwords typed on a keyboard are not considered safe, provided the attackers' algorithm is advanced enough.
The research team recorded millimetre-level information of hand movements from accelerometers, gyroscopes, and magnetometers inside the wearable technologies to monitor how the wearers wrist moved, whether tapping the pin at a cash point, or entering the Facebook password on the phone. The internally-developed backward PIN-sequence inference algorithm then turns the data into PINs with accuracy without context clues about the keypad.
Though the technique is very advanced, the threat is very real and could compromise the wearer's security, Wang said.
According to Wang, there are two attacking scenarios that are achievable. The first, called an internal attack that involves malware being installed on the wrist-worn smartwatches or fitness trackers, and then sent back to the hacker to determine a PIN or password. Likewise, the hacker can perform a sniffing attack in which they place a wireless sensor near a key-based security system. The sensor is capable of intruding the data sent through Bluetooth between the user’s wrist wear and a paired smartphone.
The research team conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a range of technologies for over 11 months. The findings are just the first step in understanding security vulnerabilities of wearable devices.
Researchers on the project said they don’t have a solid solution at the moment to prevent the attack but recommended developers to insert noise data which would make it difficult to garner motion data. Another idea, they said would be to enhance encryption to prevent sniffer success.
Or, may be users could just enter PIN and other private data using the other hand.