Study: How Your Smartwatch Gives Away Your ATM Pin
The sudden popularity of wearable devices, researchers from the Stevens Institute of Technology and Binghamton University warned consumers about the potential risk of these devices to give away valuable information such as ATM pins.
"Wearable devices can be exploited," said Yan Wang, assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton University and co-author of the study, in a statement. "Attackers can reproduce the trajectories of the user's hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers."
According to a paper published in the proceedings Association for Computing Machinery, attackers can exploit wearable devices, such as smartwatch and fitness trackers, in two ways. Both techniques utilizes the embedded sensors in wearable technologies along with computer algorithm to predict private PINs and passwords with 80-percent accuracy on the first try and more than 90-percent accuracy after three tries.
The first technique, called internal attack, the attackers use a malware to access the embedded sensors in wrist-worn devices. When the victim access a key-based security system, the malware sends the sensor data back to the attacker, in which can be aggregated to determine the victim's PIN.
On the other hand, the sniffing method requires a sniffer to be placed near the key-based security system. The sniffer will then pry on the sensor data from the wearable devices sent via Bluetooth to the victim's associated smartphones.
To test out the two methods, the researchers conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of technologies over 11 months. The researchers were able to trace millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand's pose. Using "Backward PIN-sequence Inference Algorithm" researchers utilize distance and direction estimations between consecutive keystrokes from the measurements to crack PIN codes with superb accuracy even without context clues about the keypad.
Their findings clearly showed that the size and power of wearable devices do not allow robust security measures. However, researchers recommended adding certain type of noise to data in order to prevent the sensors in wearable devices to measure fine-grained hand movements.
Wang worked in the paper during his stay at the Stevens Institute of Technology, together with three other graduate students Chen Wang, Xiaonan Guo and Bo Liu. The study was led by their advisor Yingying Chen, an electrical and computer engineering professor at Stevens and a multiple-time National Science Foundation awardee.