Motion data from wearables can be used to steal PINs and passcodes

[Shawn Knight]

Researchers from Binghamton University and the Stevens Institute of Technology have developed an algorithm that is able guess PINs and passwords with stunning accuracy based solely on motion data collected by modern wearables such as smartwatches and fitness trackers.

Yan Wang, assistant professor of computer science at the Thomas J. Watson School of Engineering and Applied Science at Binghamton University and co-author of the paper “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” said wearables can be exploited in a way that allows attackers to reproduce the trajectories of a wearer’s hand to recover the sequence of buttons pressed at an ATM, electronic door lock or keypad-controlled enterprise server.

The Backward PIN-sequence Inference Algorithm, as it’s called, relies on data collected from accelerometers, gyroscopes and magnetometers inside of wearables and can be put to use regardless of a person’s hand pose while entering the sensitive data.

Although the technique is sophisticated, the threat is very real, Wang said. Their proof-of-concept algorithm, which is essentially a keylogger for motion, was able to correctly guess PINs and passwords with 80 percent accuracy on the first try. That figure climbed to more than 90 percent given three guesses.

Wang said there are two attack scenarios. The first, called an internal attack, involves infiltrating embedded sensors in wrist-worn wearables via malware. Conversely, an attacker can perform a sniffing attack in which they position a wireless sniffer near a key-based security system. The sniffer is capable of intercepting data sent via Bluetooth between the user’s wearable and a paired smartphone.

Researchers say they don’t yet have a solid solution to prevent the attack but suggest developers insert noise data which would make it harder to garner motion data. Another idea, they said, would be to bolster encryption to curb sniffer success.

Or, you could just enter PIN and other private data using your other hand.

Image courtesy LDprod, Shutterstock

Permalink to story.

https://www.techspot.com/news/65487-motion-data-wearables-can-used-steal-pins-passcodes.html

 

[psycros]

LOL! Exactly as I predicted almost two years ago. As for a solution to this "problem", how about not wasting a bunch of money on a completely useless connected device?

 

[Invizibleyez]

I call bs. Most people are right handed, and I am fairly certain that most people also wear their wearable tech on their left hand. I know I do. So, how is this working? It doesn't add up. Something else is going on here...

 

[Badvok]

"Or, you could just enter PIN and other private data using your other hand."

Yep, and is probably most often the case since wearables are typically worn on the non-dominant wrist allowing the dominant hand to access the wearable's functions.

 

[BSim500]

LOL! Exactly as I predicted almost two years ago. As for a solution to this "problem", how about not wasting a bunch of money on a completely useless connected device?

Indeed. Still using a £5 "dumb" pedometer / wrist-watch for my exercise needs. Unless you're planning to enter the Olympics in some official controlled training programme or have some ongoing medical condition (which generally needs a proper medical device not just sports equipment), the amount of data the average person "needs" to collect to go for a simple jog is way overblown by certain marketing departments. In fact, making exercise too technical can actually suck all the fun out of it.

 

[Timonius]

... the amount of data the average person "needs" to collect to go for a simple jog is way overblown...

Old fat guy here I'm a strong advocate of a good automated heart-rate tracker. Pushing the heart too much too soon can cause more problems than the worth of exercise. All the other stuff...yeah, whatever.

Anyway, back on track. I wonder when people will be injected with motion sensors and then someone will always know where you are and what you are doing (ie. probably start off with some crazy high tech military stuff). Scary thought when we value our so-called freedom. Is this motion sensing technology taking things too far?

 

[davislane1]

I call bs. Most people are right handed, and I am fairly certain that most people also wear their wearable tech on their left hand. I know I do. So, how is this working? It doesn't add up. Something else is going on here...

So it's BS because, even though the exploit works, a lot of people don't enter pins with their left hand? Fascinating.

 

[Invizibleyez]

Yeah. That's pretty much how dominant hands work. You tend to use them for most things.

 

[Camikazi]

I call bs. Most people are right handed, and I am fairly certain that most people also wear their wearable tech on their left hand. I know I do. So, how is this working? It doesn't add up. Something else is going on here...

So it's BS because, even though the exploit works, a lot of people don't enter pins with their left hand? Fascinating.

I think the BS part is the way they are making it seem highly dangerous when what Invizibleyez says is true, most left handed people will put trackers and watches on right hand and right handers will put them on the left hand. That alone makes this type of attack almost useless since you would need someone who types in their PIN with their weak hand (most would not) or someone who puts their watch on their dominant hand.

 

[captaincranky]

This is easy to get around. Just wear your Tech stuff on your GOOD hand. Then, with your pants slung low, fiddle with your junk, (like so many kidz today do), with the hand the wearable is on, while punching in your PIN number with the other. (Your ostensibly, "bad hand").

Unless you're what has become to be known in the colloquial as a, "switch hitter". In which case, you needn't bother swapping arms with your tech fitness trash.

Is this post in bad taste? You betcha!