Mobile systems and cyber security expert Yan Wang doesn’t wear a smart watch.
“It knows too much,” says Wang, an assistant professor of computer science at Binghamton University in Upstate New York. “If you are using a smart watch, you need to be cautious.”
Wearable devices can give away your PIN number, according to research by professor Yingying Chen at Stevens Institute of Technology and three of her current and former graduate students including Wang. By combining smart watch sensor data with an algorithm to infer key entry sequences from even the smallest of hand movements, the team was able to crack private ATM PINs with 80 percent accuracy on the first try and more than 90 percent accuracy after three tries.
“This was surprising even to those of us already working in this area,” Chen, who led the research, said in a press release. “It may be easier than we think for criminals to obtain secret and private information from our wearables by using the right techniques.”
“I have to admit, at the beginning, I thought this would be science fiction,” says Wang. “But it can actually be done. There are just so many sensors on these wearable devices.”
There has long been concern over the security of smart watches, fitness trackers, and other internet-connected wearables that gather sensitive information, such as what time of day a user leaves their home. To infer user inputs on keyboards, past cyber security studies have used cameras to observe how a hand moves over a keypad or machine-based learning techniques to train a program to detect user movements.
Now, spying on a PIN just got way easier, thanks to sensors that measure acceleration, orientation and direction in our wrist devices. The Stevens researchers conducted 5,000 key-entry tests on three different keypads—a detachable ATM pad, a keypad on ATM machine, and a QWERTY keyboard. Twenty adults performed the tests wearing one of three different devices: the LG W150 or Moto360 smart watches or the Invensense MPU-9150, a nine-axis motion tracking device.
The team downloaded sensor data from the tests, which recorded hand movements down to the millimeter. Using an algorithm they called the “Backward PIN-sequence Inference Algorithm,” the team was able to break the codes with alarming accuracy.
The most challenging part of the process was eliminating errors that emerge when trying to calculate distance moved based on acceleration, says Wang. The team found the best way to minimize those errors was to work backwards: Most people end a PIN entry by pressing ‘Enter’, so the team started with the Enter key, then traced backwards to each preceding key—a hacker’s version of connect-the-dots.
The method does not require an attacker to be anywhere near an ATM or other key-entry pad (such as an electronic door lock or computer keyboard). Instead, data can be stolen by either a wireless sniffer placed close to a keypad to capture Bluetooth packets sent by the wearable to a smartphone, or by installing malware on the wearable or smartphone to eavesdrop on the data and send it to the attacker’s server.
Wang is unaware of anyone currently stealing PIN numbers in this way, but Chen’s group is working on countermeasures against it. For example, wearables manufacturers could inject noise into the sensor data to make it more secure.
Chen presented the results in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China.
Editor’s note: The story was corrected on 12 July 2016 to to clarify possible solutions to the security threat and updated to add comment from Yingying Chen.