Wearable devices such as smartwatches and fitness trackers have significantly gained ground, helping us with our fitness routines, but are they also giving away our secrets?
According to a new research paper, that may well be the case, and it's not just any secrets. The wearables may also track our steps all the way to the ATM, track our hand movements with great precision, record our PIN and give it away by accident.
Aptly titled "Friend or Foe?: Your wearable Devices Reveal Your Personal PIN," the paper details how easy it is to crack one's PIN code or password simply by reverse-engineering the motion sensor data from a wearable device.
Researchers from the Binghamton University and the Stevens Institute of Technology reveal that this simple method yields impressive results with great accuracy — 80 percent on the first try and more than 90 percent accuracy after three attempts.
The researchers combined data from embedded sensors in wearable devices and used a computer algorithm to "guess" private PINs and passwords.
"In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user's fine-grained hand movements, which enable attackers to reproduce the trajectories of the user's hand and further to recover the secret key entries," note the researchers. "In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user's hand between consecutive key entries regardless of the pose of the hand."
The paper does not specify exactly which wearable devices were part of the experiment and proved vulnerable, but it does highlight that many wearables record one's hand movements with enough precision to identify key presses.
An attacker could get hold of this data either by exploiting malware installed directly on the wearable device or by operating remotely, eavesdropping on the Bluetooth connection between the wearable and the paired smartphone.
In light of these findings, the research team advises developers to obscure sensitive information by adding a "certain type of noise data." This would allow the wearable to continue serving as a useful tool for fitness tracking but would cast a veil over other sensitive info such as your PIN or password.
In the meantime, you can always take the simplest approach that comes to mind: don't use your wearable-equipped hand to type your password or ATM PIN. If you drop by the ATM during your morning jog, just use the hand without a sophisticated smartwatch or fitness tracker with advanced motion tracking sensors.
This is a notable warning, especially considering that the wearable device market is on the rise and an increasing number of smartwatches, fitness bands, trackers and others are hitting the market. The wearables collect all kinds of information, and it apparently stretches well beyond just fitness and health data.