Smart devices are quickly taking over our lives, but they may also be giving away our secrets.
We’ve already given most of our privacy away to smartphones and Facebook. They know where we are, who our friends are, what we like to buy and much more about our personality than we’d like to admit. But according to a new study, they may also have access to your bank account.
The authors say that if you combine data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, with a PIN cracking algorithm you have an 80% chance of identifying a PIN code from the first try and an over 90% chance of cracking it in 3 tries.
Yan Wang, assistant professor of computer science at the Stevens Institute of Technology is working on smartphone security and privacy. He said that wearable devices in particular pose a significant risk and can be exploited with relative ease.
“Wearable devices can be exploited,” said Wang. “Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”
She and his colleagues conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of technologies over 11 months. Basically, regardless of the hand position and regardless of how much you try to conceal your hand movement, the accelerometers, gyroscopes and magnetometers inside the wearable technologies can still figure out what PIN you are typing in. In other words, your smartwatch is detecting your hand movement and figuring out your PIN.
According to the team, this is the first study to test this – at least the first scientific study. The required technology is still quite sophisticated, but with the right tools available, it’s worryingly easy to crack PIN codes.
“The threat is real, although the approach is sophisticated,” Wang added. “There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”
The findings are just an early step in understanding the vulnerabilities and at the moment, there is no evident solution to fix these risks. The authors do suggest that developers “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.” However, not all is grim.
“Further research is needed, and we are also working on countermeasures,” concludes Chen, adding that wearables are not easily hackable — but they are hackable.
A paper on the new research, Friend or Foe? Your Wearable Devices Reveal Your Personal PIN, received the Best Paper Award at the ACM Conference on Information, Computer and Communications Security (ASIACCS) in Xian, China in May.
EDIT: We have corrected several minor errors in this article, as indicated by the authors of the study.