As
your day-to-day apparel and accessories are turning into networked
mobile electronic devices that attach to your body like smartwatch or
fitness band, the threat to our personal data these devices collect has
risen exponentially.
A
recent study from Binghamton University also suggests your smartwatch
or fitness tracker is not as secure as you think – and it could be used
to steal your ATM PIN code.
The
risk lies in the motion sensors used by these wearable devices. The
sensors also collect information about your hand movements among other
data, making it possible for "attackers to reproduce the trajectories" of your hand and "recover secret key entries."
In the paper, titled "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN," computer
scientists from the Stevens Institute of Technology and Binghamton
University used a computer algorithm that can guess your password and
PIN with about 80% success rate on the first attempt, and over 90% of
the time with 3 tries.
Retrieving Passwords and PINs Using this Algorithm
Researchers say their "Backward PIN-Sequence Inference"
algorithm can be used to capture anything a person type on any keyboard
– from automatic teller machine or ATM keypads to mobile keypads –
through infected smartwatches, even if the person makes the slight hand
movements while entering PINs.
"The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand's pose," reports Phys.org.
Although the researchers do not name specific wearable devices that are
vulnerable, they note that attackers can record information about your
hand movements...
...either directly by infecting your wearable device with malware or
remotely by intercepting the Bluetooth connection that links your
wearable device to your phone.
The bottom Line:
The team says it doesn't have any robust solution to prevent this attack
but recommends manufacturers and developers to confuse attackers by
inserting "a certain type of noise data"that would allow the device to be still used for fitness tracking, but not for guessing keystrokes.
Another way is to take a low-tech approach – Always enter your passwords
or PINs with the hand that is not having a wearable device with the
highly sophisticated motion tracker.
0 comments: