Smartwatches not secure, give away PIN numbers

How you move your hand at an ATM when entering the PIN gives away the supposedly secure number to your sensor-packed wearable device, scientists say

Smartwatches not secure, give away PIN numbers

Sensors, such as accelerometers, found in wearable devices can be used to reverse engineer a human hand’s movements and trajectories while at an ATM, thus giving away the PIN code, research out of Stevens University found.

The findings bring into question the fundamental security of smartwatches.

Malware installs on devices might be one way the newly discovered hack could work, the scientists say. The software would wait for a mark to use a secure system, such as a keypad-controlled enterprise server, for example, and then collect data from the gyroscope, magnometer, accelerometer and other sensors. (Devices use those sensors to measure fitness and so on.)

+ Also on Network World: Experts to IoT makers: Bake in security +

It would then send the harvested data back to the bandit who uses an algorithm to interpret the collected hand trajectories and map them into millimeter-accurate keypad numbers.

In testing, the crack was found to have 80 percent accuracy on the first try and more than 90 percent accuracy within five tries, researchers at Stevens Institute of Technology say.

The researchers, led by Stevens professor Yingying Chen with the assistance of four graduate students: Chen Wang, Xiaonan Guo, Yan Wang and Bo Liu, tested 5,000 systems with 20 adults over 11 months.

A second way the same attack can be implemented is through a Bluetooth connection between the wearable device and the user’s smartphone. The criminal merely plucks the “fine-grained hand movement” raw data from the radio communication with a nearby sniffer and then runs the same mathematics.

Fitness fanatics often use a smartphone’s larger screen to view the watch-collected exercise data and see how well they’re doing—or not. Bluetooth is used for the connection.

Distance and direction estimations between consecutive keystrokes are provided through the hand movements in both scenarios. Then the team’s “Backward PIN-sequence Inference Algorithm” breaks the codes.

And it does it with “alarming accuracy without context clues about the keypad,” the researchers say. A lack of context is a big deal. The scientists say the malefactor doesn’t need to know details about the keyboard to perform the felonious deed.

The threat is real, and wearable devices can be exploited, the researchers say.

"This was surprising, even to those of us already working in this area," says the lead researcher Chen, a multiple time National Science Foundation (NSF) awardee. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques."

The problem is principally that security isn’t strong enough, the scientists say. Smartwatch “size and computing power doesn’t allow for robust security measures, which makes the data within more vulnerable to attack,” they say.

Indeed some argue that many internet-connected devices at the consumer level, like home IoT, overall aren’t secure. Experts say one reason is because the fast development cycle of the new genres doesn't allow enough time for testing. And low profit margins in consumer products, such as home IoT devices, and conceivably wearable tech means corners may get cut.

In any case, encryption isn’t good enough in wearable devices where the device and host operating system meet, the Stevens team says.

They don’t have a solution right now, but the researchers suggest manufacturers “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements.”

"Further research is needed, and we are also working on countermeasures," says Chen.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10