It's already common knowledge that smartwatches, like any other computer-controlled and Internet-connected “smart” device, are vulnerable to hackers.
So if you wear a smartwatch and hackers exploit its various security vulnerabilities, what information about you could they steal? Of course you know already that they could obtain any data stored on or transmitted through the device – but security researchers at the University of Illinois at Urbana-Champaign, with funding from the National Science Foundation, developed a proof-of-concept exploit (explained in a .pdf document here). It is disguised as an app that would enable hackers to infer with reasonable accuracy what you typed while wearing a smartwatch.
Exploiting motion sensors
Ph.D candidate He Wang co-authored the project, along with postdoc researcher Ted Tsung-Te Lai and Romit Roy Choudhury, an associate professor of electrical and computer engineering. Their paper is called MoLe: Motion Leaks through Smartwatch Sensors. As the name suggests, the researchers developed an app that was able to exploit smartwatches' various motion sensors to figure out with a high degree of accuracy what the smartwatch-wearer was typing. For this particular experiment, the researchers used an app they'd developed and installed on a Samsung Live Gear smartwatch.
Put your hands in “typing position” over a standard QWERTY keyboard, and imagine what movements you'd make to press various keys. It's obvious that hitting different keys requires different motions: the movements of your left wrist and various fingers when you type the numeral 1 or an exclamation point is radically different from the movements used to type an upper- or lower-case letter C, for example.
Still: touch-typing requires two hands and a smartwatch only measures the motions of one wrist. How accurately could a hacker transcribe your typing, simply by reading the watch's motion sensors?
According to the University of Illinois researchers, the results are far more accurate than you might guess (at least, under controlled laboratory conditions). Here's what the paper's abstract has to say:
Imagine a user typing on a laptop keyboard while wearing a smart watch. This paper asks whether motion sensors from the watch can leak information about what the user is typing. While its [sic] not surprising that some information will be leaked, the question is how much? We find that when motion signal processing is combined with patterns in English language, the leakage is substantial. Reported results show that when a user types a word W, it is possible to shortlist a median of 24 words, such that W is in this shortlist. When the word is longer than 6 characters, the median shortlist drops to 10.
Scarily accurate results
The above video of a typist wearing a smartwatch on her left wrist illustrates how scarily accurate the results can be. It also offers a simplified explanation of how the app works (basically, by monitoring hyper-precise motion data from a smartwatch's accelerometer and gyroscope). “Key challenges: Track micro motion of the smartwatch. Infer timing & location of key presses,” reads one subtitle. The attacker (or, rather, the app's programming) notes the number, location, and timing of key presses coming from the left hand and can infer what the right is doing – for example, longer gaps between individually detected key-presses make it likely that the right hand is currently pressing keys.
However, the researchers themselves admit that so far, the MoLe app wouldn't work for a “real-life” hack attack, only for an attack under strict (and highly artificial) laboratory conditions. The research paper's list of “assumptions” under which the app was tested includes this: “The evaluation is performed in a controlled environment where volunteers type one word at a time (as opposed to free-flowing sentences).”
Furthermore, “We assume the user is seasoned in typing in that he/she roughly uses the appropriate fingers – novice typists who do not abide by basic typing rules may not be subject to our proposed attacks.” And, of course, the inferring programs only work with established, recognizable English-language words; this app wouldn't work for hackers trying to determine random-character passwords, for example.
But even though this particular hack-app wouldn't be very useful for a real-world hacker seeking to read the typing of a smartwatch-wearer, a more sophisticated version of this app could be. As the three researchers said to conclude their paper's abstract: “we discover additional 'leaks' that can further reduce the shortlist [of words] – we leave these exploitations to future work.”