Data from the sensors of wearable technologies, such as smartwatches, was used by a computer algorithm to crack PINs and passwords with 80 percent accuracy on the first try. After three attempts, accuracy was over 90 percent.
“Wearable devices can be exploited,” said Yan Wang, assistant professor of computer science at Binghamton University. “Attackers can reproduce the trajectories of the user’s hand and then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”
Vulnerable Wearable Devices
Wang and his colleagues conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing different technologies over a period of 11 months. From accelerometers, gyroscopes and magnetometers, the team recorded millimeter-level information of fine-grained hand movements.
Using these recordings, the researchers made distance and direction estimations between consecutive keystrokes, which their “Backward PIN-sequence Inference Algorithm” used to break codes. It is the first time passwords have been cracked without the need for background information.
“The threat is real, although the approach is sophisticated,” Wang added. “There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”
The hope is that these results will enable engineers to develop security systems for wearable devices in order to prevent codes from being cracked so easily.
Security Systems for Wearable Devices
Wearable devices can track the wearer’s health and perform a variety of functions, but their small sizes and low computing power makes them vulnerable to outside sources. Although the team lacked an immediate solution to this problem, they did suggest that developers try to “inject a certain type of noise into the data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness-tracking purposes such as activity recognition or step counts.”
The team also suggests that developing the encryption between the device and host operating system could further improve security. Until these changes are put in place, it might be best to leave your Fitbit at home the next time you need to make a run to the ATM.
For an in-depth look at security in the Internet of Things age, check out IoT Security: How to Protect Connected Devices and the IoT Ecosystem.