Are your smart devices really that smart to not give away your secrets? Well, a recent study reveals that they are not and might give away your personal information, including your passwords or ATM pins.
Scientists from Binghamton University and the Stevens Institute of Technology say that if you combine data from embedded sensors in wearable technologies, such as smart watches and fitness trackers, with a PIN cracking algorithm you have an 80% chance of identifying a PIN code from the first try and an over 90% chance of cracking it in 3 tries.
Yan Wang from the Binghamton University who is working on smart phone security and privacy said that wearable devices in particular pose a significant risk and can be exploited with relative ease.
“Wearable devices can be exploited,” said Wang. “Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”
Yan and his colleagues conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of technologies over 11 months. The team was able to record information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose. Basically, your smart watch is detects your hand movement and figuring out your PIN.
“The threat is real, although the approach is sophisticated,” Wang added. “There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smart phones.”
The team has suggested that developers “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”