Your fitness tracker could be giving away PINs and passwords

A new study has shown how hackers could potentially use your fitness tracker or smartwatch to figure out your passwords and personal identification numbers (PINs).

According to researchers from the Stevens Institute of Technology and Binghamton University, you don’t even need to have the sensitive data stored on your smart device to be at risk. Hackers could figure out your PINs and passwords based solely on motion data.

The findings were presented at the Proceedings of the 11th ACM on Asia Conference on Computer and Communications security. The study was conducted on 20 individuals entering PINs and passwords a total of 5,000 times over 11 months.

The team devised an algorithm to infer key entry sequences based on analyzing hand movements to hack into the wearables data. The researchers tested the technique with the LG W150 and Moto360 smartwatches and the Invensense MPU-9150, a nine-axis motion tracking device. After capturing accelerometer, gyroscope and magnetometer data from the devices and using it to calculate typical distances between and directions of consecutive key entries, the team developed a backward-inference algorithm to predict four-digit PIN codes.

The results found that PIN numbers could be cracked with very little effort –  80% accuracy with only one try and more than 90% accuracy with three tries! And the same algorithm can be used to work out your password.

“This was surprising, even to those of us already working in this area,” Professor Yingying Chen said in a press release.

“It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”

Attackers can use this method in two ways — by installing malware directly onto the device, or by grabbing the data via the Bluetooth connection that bridges the wearable to the smartphone

This is description of the work from their research paper:

In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries. In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user’s hand between consecutive key entries regardless of the pose of the hand. Our Backward PIN-Sequence Inference algorithm exploits the inherent physical constraints between key entries to infer the complete user key entry sequence.

The research team, offers a solution to manufacturers and developers — insert some “noise data” to obscure the sensitive data. In the meantime, there are a few ways you can protect yourself and throw off potential hackers. This includes using the hand without the wearable to do the typing or intentionally disrupting your own flow between presses.

Or, you could just take off your wearable before you enter your secure PINs.

Like this article? Subscribe to our monthly newsletter and never miss out!

Leave a Reply

Your email address will not be published.