1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Motion data from wearables can be used to steal PINs and passcodes

By Shawn Knight · 9 replies
Jul 6, 2016
Post New Reply
  1. Researchers from Binghamton University and the Stevens Institute of Technology have developed an algorithm that is able guess PINs and passwords with stunning accuracy based solely on motion data collected by modern wearables such as smartwatches and fitness trackers.

    Yan Wang, assistant professor of computer science at the Thomas J. Watson School of Engineering and Applied Science at Binghamton University and co-author of the paper “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” said wearables can be exploited in a way that allows attackers to reproduce the trajectories of a wearer’s hand to recover the sequence of buttons pressed at an ATM, electronic door lock or keypad-controlled enterprise server.

    The Backward PIN-sequence Inference Algorithm, as it’s called, relies on data collected from accelerometers, gyroscopes and magnetometers inside of wearables and can be put to use regardless of a person’s hand pose while entering the sensitive data.

    Although the technique is sophisticated, the threat is very real, Wang said. Their proof-of-concept algorithm, which is essentially a keylogger for motion, was able to correctly guess PINs and passwords with 80 percent accuracy on the first try. That figure climbed to more than 90 percent given three guesses.

    Wang said there are two attack scenarios. The first, called an internal attack, involves infiltrating embedded sensors in wrist-worn wearables via malware. Conversely, an attacker can perform a sniffing attack in which they position a wireless sniffer near a key-based security system. The sniffer is capable of intercepting data sent via Bluetooth between the user’s wearable and a paired smartphone.

    Researchers say they don’t yet have a solid solution to prevent the attack but suggest developers insert noise data which would make it harder to garner motion data. Another idea, they said, would be to bolster encryption to curb sniffer success.

    Or, you could just enter PIN and other private data using your other hand.

    Image courtesy LDprod, Shutterstock

    Permalink to story.

  2. psycros

    psycros TS Evangelist Posts: 2,825   +2,672

    LOL! Exactly as I predicted almost two years ago. As for a solution to this "problem", how about not wasting a bunch of money on a completely useless connected device?
    Reehahs, alabama man and BSim500 like this.
  3. Invizibleyez

    Invizibleyez TS Enthusiast Posts: 73   +20

    I call bs. Most people are right handed, and I am fairly certain that most people also wear their wearable tech on their left hand. I know I do. So, how is this working? It doesn't add up. Something else is going on here...
    alabama man likes this.
  4. Badvok

    Badvok TS Maniac Posts: 304   +157

    "Or, you could just enter PIN and other private data using your other hand."

    Yep, and is probably most often the case since wearables are typically worn on the non-dominant wrist allowing the dominant hand to access the wearable's functions.
    alabama man likes this.
  5. BSim500

    BSim500 TS Evangelist Posts: 628   +1,259

    Indeed. Still using a £5 "dumb" pedometer / wrist-watch for my exercise needs. Unless you're planning to enter the Olympics in some official controlled training programme or have some ongoing medical condition (which generally needs a proper medical device not just sports equipment), the amount of data the average person "needs" to collect to go for a simple jog is way overblown by certain marketing departments. In fact, making exercise too technical can actually suck all the fun out of it.
  6. Timonius

    Timonius TS Evangelist Posts: 648   +58

    Old fat guy here :) I'm a strong advocate of a good automated heart-rate tracker. Pushing the heart too much too soon can cause more problems than the worth of exercise. All the other stuff...yeah, whatever.

    Anyway, back on track. I wonder when people will be injected with motion sensors and then someone will always know where you are and what you are doing (ie. probably start off with some crazy high tech military stuff). Scary thought when we value our so-called freedom. Is this motion sensing technology taking things too far?
    Reehahs likes this.
  7. So it's BS because, even though the exploit works, a lot of people don't enter pins with their left hand? Fascinating.
  8. Invizibleyez

    Invizibleyez TS Enthusiast Posts: 73   +20

    Yeah. That's pretty much how dominant hands work. You tend to use them for most things.
  9. Camikazi

    Camikazi TS Evangelist Posts: 981   +339

    I think the BS part is the way they are making it seem highly dangerous when what Invizibleyez says is true, most left handed people will put trackers and watches on right hand and right handers will put them on the left hand. That alone makes this type of attack almost useless since you would need someone who types in their PIN with their weak hand (most would not) or someone who puts their watch on their dominant hand.
  10. captaincranky

    captaincranky TechSpot Addict Posts: 15,179   +4,127

    This is easy to get around. Just wear your Tech stuff on your GOOD hand. Then, with your pants slung low, fiddle with your junk, (like so many kidz today do), with the hand the wearable is on, while punching in your PIN number with the other. (Your ostensibly, "bad hand").

    Unless you're what has become to be known in the colloquial as a, "switch hitter". In which case, you needn't bother swapping arms with your tech fitness trash.

    Is this post in bad taste? You betcha! ;):cool:

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...