Do you wear a smartwatch or fitness tracker on that same wrist? If you do, then you’d better read the research results released by a group of scientists from Binghamton University.
The Binghamton University experts together with the Stevens Institute of Technology have been thinking about ways in which the sensors in wearable technology could potentially help hackers crack our private PIN codes and passwords.
In their paper called “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN”, the experts reveal how they were able to record minute fine-grained movements from the sensors embedded in wearable fitness tracking devices and then – with the aid of a computer algorithm – determine the likely PIN code or security password entered:
“In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries. In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user’s hand between consecutive key entries regardless of the pose of the hand. Our Backward PIN-Sequence Inference algorithm exploits the inherent physical constraints between key entries to infer the complete user key entry sequence.”
The assistant professor of computer science within Binghamton University and a co-author of the study Yan Wang, says that they were able to crack private PIN codes with 80% accuracy on the first attempt, and with more than 90% accuracy after three tries:
“To our knowledge [this] is the first technique that reveals personal PINs leveraging wearable devices without the need for labeled training data and contextual information.”
This sounds very impressive, but how would a hacker put such a sophisticated attack into practice?
One of the methods might be to infect the actual wearable device itself with malware, collecting wrist movement data as a security system is accessed and sending data back to the hackers for analysis. Wang also proposes that a device could be secreted close to the ATM PIN pad or key-based security system to eavesdrop on data as it is sent from the device back to an associated smartphone – usually via Bluetooth. This approach relies upon the detailed sensor data being synced and shared with a smartphone at the time the target is using the ATM.
A research conducted in the past, has proven that many fitness trackers are falling short when it comes to securing users’ data, suggesting that weaknesses that could be exploited by cyber criminals are not uncommon.
The type of the attack described by the researches is unlikely to become widespread any time soon, though it is an interesting and imaginative research. And it may shine a light on the types of attacks that some intelligence agencies and law enforcement authorities might be tempted to undertake against people of interest.