Your Fitbit, Apple Watch, and Nike+ app keep you motivated to stay fit; but can these wearables also leak private information, like your personal PIN code (the password that keeps other people from getting into your phone)? Unfortunately, yes, accoding to research from Stevens Institute of Technology.
Researchers discovered the motion of your hands as you type in the PIN password on your smartphone or on an ATM can be hacked in real time because it’s continually and automatically recorded by your fitness device. A hacker can use the pattern to guess your PIN and, this is the worst part, can do so with more than 90 percent accuracy within a few attempts, the researchers say.
In the study, researchers outfitted 20 volunteers with a variety of fitness wristbands and smartwatches, then asked them to make some 5,000 sample PIN entries on their phone or laptop’s keypads while “sniffing” Bluetooth low energy (BLE) data, transmitted by sensors in their devices, to paired smartphones. Sniffing what? Let’s clarify:
“There are two kinds of potential attacks here: sniffing attacks and internal attacks,” lead study author and electrical and computer engineering professor Yingying Chen explains in a press release. “An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.”
After collecting data from the devices, Chen and her team then calculated the typical distance and direction of consecutive key entries. Then, the researchers developed a “backward-inference algorithm” capable of predicting four-digit PIN codes.
“These predictions were assisted by the standardized layout of most PIN pads and keyboards—plus the knowledge that nearly all users will hit ‘enter’ as their final significant hand motion after entering a code,” Chen notes.
While some devices were more secure than others, the algorithm’s first guess succeeded an astonishing 80 percent of the time (on average). Within five tries, its accuracy skyrocketed to 99 percent on some devices.
Don’t freak and ditch the wearables, though. They’re not that easily hacked. A criminal has to work for it; but they are hackable.
So, how do you safeguard your devices?
Luckily, there are some things you can do to protect your info, though it’s not as simple as changing your passwords/PINs frequently because that doesn’t prevent an attacker from “sniffing” the sensing information, Chen explains.
“Further research is needed, and we are also working on countermeasures,” she explains. Until those are developed, stay safe by avoiding the urge to use the same hand to enter your code: “It would be helpful if you enter the PIN with the hand not wearing the smartwatch or fitness tracker,” says Chen. Manufactures of smartwatches and fitness trackers can also inject “noise” to sensor readings; though this can’t be done by users.