Mobile systems and cyber security expert Yan Wang doesn’t wear a smart watch. He says “If you are carrying a smart watch, you need to beware.” Wearable gadgets can reveal your PIN number, according to research by him and his colleagues submitted in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China. By linking smartwatch sensor data with an algorithm to infer key insertion sequences from even the miniature of hand actions, the unit was able to decode secret ATM PINs with 80% accuracy on the front try and more than 90% accuracy after three attempts.
At the beginning, it was like science fiction said, Wang. “But it can really be done. There are so many sensors on these wearable gadgets. It stores enough information with smallest hand movements.”
There has long been attention over the protection of smart watches, fitness trackers, and other internet-connected wearables that accumulate sensitive data, such as what time a user departs their home. To conclude user data on keyboards, former cyber security studies have used cameras to examine how a hand rolls over a keypad or machine-based learning ways to instruct a program to identify user gestures.
Now, spying on a PIN just got way easier, due to sensors that measure acceleration, orientation and direction. Led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, the researchers conducted 5,000 key-entry experiment on three separate keypads—a detachable ATM pad, a keypad on ATM machine, and a QWERTY keyboard. Approx 20 adults conducted the analysis wearing one of three distinct devices: the LG W150 or Moto360 smart watches or the Invensense MPU-9150, a nine-axis motion tracking device.
The unit downloaded sensor data from the analysis, which traced hand gestures down to the millimeter. Using an algorithm they called the “Backward PIN-sequence Inference Algorithm,” the unit was capable of decoding with alarming assort.
The most stressful part of the process was dropping errors that arise when trying to determine the distance traveled based on acceleration, says Wang. The unit discovered the best way to reduce those flaws was to work backward.
The method was easier. Instead, data can be taken by either a wireless sniffer installed close to a keypad to capture Bluetooth transmitted by the wearable to a smartphone, or by installing malware on the wearable or smartphone to monitor the data and transfer it to the attacker’s server.
Wang is oblivious of anyone currently taking PIN numbers in this way. To eliminate protection breach, wearable companies could better ensure the data, or even just add alarm so it is not so easily turned into physical hand gestures.
