Your smart watch or fitness tracker may be giving you helpful information about you health, but is it also giving away secrets to an enterprising hacker?
Scientists at Binghamton University and the Stevens Institute of Technology say it is theoretically possible these devices could reveal your ATM code.
Maybe it is more than theoretically possible. The researchers combined data from embedded sensors in wearable technologies, typical in smartwatches and fitness trackers, along with a computer algorithm designed to crack private PINs and passwords.
The test was successful in capturing the PIN 80% of the time on the first try and had a 90% success rate after three attempts.
Possible to exploit
“Wearable devices can be exploited,” said Yan Wang, assistant professor of computer science at Binghamton.
The hackers, he says, can reproduce the movement of a user’s hand, then recover secret PIN entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.
To test the theory, the research team conducted over 5,000 tests using key-based security systems. It was able to record hand movement down to the millimeter level, tapping into the inner workings of a variety of wearable technology.
By recording the measurements, the software was able to estimate distance and direction of hand movement between key strokes. It was able to do so with what the team called “alarming accuracy.”
The threat is real
“The threat is real, although the approach is sophisticated,” Wang said. “There are two attacking scenarios that are achievable: internal and sniffing attacks.”
In an internal attack, hackers are able to tap into the embedded sensors in wrist-worn wearable devices through malware. When the target accesses a key-based system, such as an ATM, the malware sends back the data it has sensed. Using that data, the hacker can accurately predict the code the victim has used.
In a sniffing attack, the hacker places a wireless device close to a specific key-based target. The sniffer can then eavesdrop on sensor data from the wearble device that is sent using Bluetooth to the victim's smartphone.
The researchers did not offer a solution to the security issue they identified, but suggested if developers “injected noise” into the data it might make fine-grained hand movements harder to detect.
In the meantime, it might be a good idea to punch in ATM codes with the hand not wearing a smart watch or fitness tracker.