As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially.
A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code.
The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for "attackers to reproduce the trajectories" of your hand and "recover secret key entries."
In the paper, titled "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN," computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and over 90% of the time with 3 tries.
Retrieving Passwords and PINs Using this Algorithm
Researchers say their "Backward PIN-Sequence Inference" algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs.
"The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose," reports Phys.org.
Although the researchers do not name specific wearable devices that are vulnerable, they note that attackers can record information about your hand movements…
…either directly by infecting your wearable device with malware or remotely by intercepting the Bluetooth connection that links your wearable device to your phone.
The bottom Line:
The team says it doesn’t have any robust solution to prevent this attack but recommends manufacturers and developers to confuse attackers by inserting "a certain type of noise data" that would allow the device to be still used for fitness tracking, but not for guessing keystrokes.
Another way is to take a low-tech approach – Always enter your passwords or PINs with the hand that is not having a wearable device with the highly sophisticated motion tracker.