(Image Credit: American Express)
The researchers who discovered this combined data from embedded sensors in wearable technologies-- like smartwatches and fitness trackers-- with a computer algorithm to crack private PINs and passwords, with 80% accuracy on the first try and more than 90% accuracy after three tries.
"Wearable devices can be exploited," said Yan Wang, assistant professor of computer science at Binghamton University. "Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers."
After conducting multiple experiments, the team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of hand position. Those measurements lead to distance and direction estimations between consecutive keystrokes, which the team’s "Backward PIN-sequence Inference Algorithm" used to break codes with great accuracy.
According to the team, this is the first technique that reveals personal PINs by exploiting information from wearable devices without the need for contextual information.
"This was surprising, even to those of us already working in this area," said Yingying Chen, lead researcher. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.
These findings are just the beginning when it comes to understanding security vulnerabilities of wearable devices. The size and computing power of wearable devices may not allow them to come equipped with significant security measures, which makes the data within them more vulnerable to attack.
Currently, the team is working on countermeasures for their newly discovered problem. An initial approach it has come up with is "injecting a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts."
Another protective measure could include better encryption between the wearable device and the host operating system.
