Hackers Can Steal PIN Codes from Wearables

SmartwatchYour wearable device is tracking your hand movements, which is great if you want to know how many calories you’ve burned, but terrible if you don’t want hackers to know how to get into your bank account. Researchers from Binghamton University have demonstrated that algorithms can use the data from embedded sensors in smartwatches and fitness trackers to easily and accurately identify a user’s personal PIN code. Researcher Yan Wang warns:

There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.

The acelerometers, gyroscopes, and magnetometers inside wearables detect hand movement, such as the exact motion you make when entering your PIN to access your bank account at an ATM machine. The researchers conducted 5,000 key entry tests and found that the devices tracked movements within a millimeter, which is certainly precise enough to determine which buttons were pressed. The team then used a “Backward PIN-sequence Inference Algorithm” to break the codes with incredible accuracy. They identified the correct PIN 80 percent of the time on the very first try, and 90 percent of the time on the second try.

The team suggests that we need better encryption for wearables, and recommends that developers should “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”

Source: Binghamton University

Leave a Reply

Your email address will not be published.