Keeping your bank account safe at an ATM or electronically locked door used to be simple: Check to make sure nobody is watching you and block the keypad from view while you type in your code. You should still do those things, but you might also want to take off your smartwatch first; researchers say hackers could use wearable tech to figure out your PIN and other codes. They recently published their findings in a paper titled, "Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN" [PDF], for the proceedings of the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security.
Researchers at the Stevens Institute of Technology are working on a number of studies on security in wearable and mobile technology. For this experiment, they recruited 20 adults, who collectively punched their codes into ATMs and other keypads 5000 times over the course of 11 months while wearing various technologies. Back in the lab, the researchers scraped precise movement information from the devices’ accelerometers, gyrometers, and magnetometers to see if they could figure out exactly what the subjects were doing with their bodies, especially their hands.
Boy, could they. By combining and comparing those measurements, Wang and his colleagues were able to create an algorithm that determined not only where a hand was in space and how it was positioned, but what it did next. The "Backward PIN-sequence Inference Algorithm" was so good that it could crack subjects’ codes with 80 percent accuracy on the very first try.
The researchers say hackers would have to employ one of two types of attacks to get at your information: internal or sniffing. An internal attack would require the bad guy to break into the sensors inside your device and use them for his or her own purposes. In a sniffing attack, data thieves might place a wireless data collector near an ATM or keypad-locked door in order to eavesdrop on any nearby Bluetooth interactions between wearable devices and their owners’ phones.
These are, as yet, theoretical concerns, since the researchers know of no cases in which this has actually happened. Yet the threat exists. To shield users from attack, the researchers recommend that tech developers "…inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts."
We’re not totally helpless. Although security programs for wearables are thin at the moment, you can at least shore up your phone’s defenses.
Know of something you think we should cover? Email us at firstname.lastname@example.org.