Can Hackers Track Movement Of Wearable Devices To Figure Out PINs & Passwords?

Image courtesy of William Grootonk

When you enter a PIN or password on your smartwatch or other wearable, you might take great effort to shield the letters and numbers you enter from public view. However, a newly released report suggests that hackers could, in theory, trace users’ hand movements on wearable devices to figure out how to access their personal accounts.

A research report [PDF] from the Stevens Institute of Technology found that wearables may provide an avenue for hackers to access consumer information that may not be tied to the devices, such as bank accounts.

A series of tests conducted by the researchers found that the motions of your hands – which is continually and automatically recorded by your device – as you use a PIN pad can be hacked in real time and used to guess PINs with a nearly 90% accuracy rate.

The tests included equipping 20 volunteers with an array of fitness wristbands and smart watches, and asking them to make some 5,000 sample PIN entries on keypads.

Researchers either placed malware into the device or placed a wireless sniffer close to a keypad to capture the Bluetooth packets being sent from the wearable to a smartphone. They were then able to capture hand movement data and used it to calculate typical distances between and directions of consecutive key entries.

To determine what motions corresponded to what numbers on the keypad, the researchers developed a backward-inference algorithm.

“These predictions were assisted by the standardized layout of most PIN pads and keyboards — plus the knowledge that nearly all users will hit ‘enter’ as their final significant hand motion after entering a code,” the researchers note.

In all, the algorithm’s first guess succeed about 80% of the time. Within five tries, the process rocked 99% of the time for some devices.

“Further research is needed, and we are also working on countermeasures,” researcher and electrical and computer engineering professor Yingying Chen says in a statement. “It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”

[h/t TechCrunch]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.