Wearable devices can give away your passwords, according to new research.
In the paper “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN” scientists combined data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, along with a computer algorithm.
They crack private PINs and passwords with 80-percent accuracy on the first try and more than 90-percent accuracy after three tries.
“Wearable devices can be exploited,” said a researcher.
“Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”
“This was surprising, even to those of us already working in this area,” says the lead researcher Chen, a multiple time National Science Foundation (NSF) awardee.
“It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”
With extensive real experiments, the team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose.
Those measurements lead to distance and direction estimations between consecutive keystrokes, which the team’s “Backward PIN-sequence Inference Algorithm” used to break codes with alarming accuracy without context clues about the keypad.
According to the research team, this is the first technique that reveals personal PINs by exploiting information from wearable devices without the need for contextual information.
The findings are an early step in understanding security vulnerabilities of wearable devices.
Even though wearable devices track health and medical activities, their size and computing power doesn’t allow for robust security measures, which makes the data within more vulnerable to attack.
The team is working on countermeasures for the problem in the current research.
An initial approach is to, “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”
The team also suggests better encryption between the wearable device and the host operating system.
Citation: Chen Wang, et al. (2016). Friend or Foe? Your Wearable Devices Reveal Your Personal PIN. ASIA CCS ’16 Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. DOI: 10.1145/2897845.2897847.
Figure legend: This Knowridge.com image is for illustrative purposes only.