In 5,000 key-entry tests for three different security systems over nearly a year, the researchers found they were able to successfully crack 80 percent of PINs and passwords on the first try. With three tries, the accuracy of the hacks rose to more than 90 percent.
Because there’s no immediate way to avoid such vulnerabilities with wearables, the researchers said that it is probably best not to enter security data into such devices if there is any chance of being observed either directly or remotely.
The researchers also suggested that developers find ways to “inject a certain type of noise” into wearable data so the devices can still be used effectively to count steps or monitor other physical activities without giving away the finer hand motions involved in typing.
‘Sophisticated’ Two-Pronged Attack Method
The research was conducted at the Stevens Institute of Technology, by Prof. Yingying Chen with the assistance of four graduate students: Chen Wang, Xiaonan Guo, Yan Wang, and Bo Liu. The team’s findings were detailed in a paper titled, “Friend or Foe? Your Wearable Devices Reveal Your Personal PIN,” and also presented recently at the annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China, in early June.
The results of the research were “surprising, even to those of us already working in this area,” said Chen, a multiple-time National Science Foundation (NSF) awardee. “It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”
Wang, who is now an assistant professor of computer science at New York state’s Binghamton University, said there are two ways a hacker can monitor a wearable owner’s hand movements to figure out PINs and passwords: an internal attack that uses malware to access data from embedded sensors in a device; and an external hack employing a wireless sniffer to pick up Bluetooth signals sent between a wearable and an associated smartphone. “The threat is real, although the approach is sophisticated,” Wang said in a statement.
The research earned a “Best Paper Award” at the China conference for the Stevens Institute team. The investigation was funded in part by a grant from the National Science Foundation and the U.S. Army Research Office.
Cracking Security with ‘Alarming Accuracy’
Wearables, such as smartwatches, usually contain a variety of internal sensors that monitor different movements and device orientations. These sensors can include accelerometers, gyroscopes and magnetometers.
The Stevens Institute researchers developed a “Backward PIN-sequence Inference Algorithm” that they applied to the millimeter-scale motions detected by such sensors. The algorithm enabled them to estimate the distances and directions between successive keystrokes, which then allowed them to determine PINs and passwords with “alarming accuracy.”
Such vulnerabilities raise security concerns not only for fitness trackers and smartwatches, but for other health and medical devices whose size and computing power often don’t allow for robust security measures, the researchers said. In addition to injecting more noise into data from wearables to reduce the risks of such hacking, device developers should also work on improving encryption of data traveling between wearables and host devices, usually smartphones.
“Further research is needed, and we are also working on countermeasures,” Chen concluded, with a warning that wearables are not easily hackable — but they are hackable.
Editorial Note: This article has been corrected to reflect that Stevens Institute of Technology Professor Yingying Chen was the lead researcher and author, working with graduate students Chen Wang, Xiaonan Guo, Yan Wang, and Bo Liu. The group has collaborated on this and other mobile device-related security and privacy projects.