Researchers from Binghamton University and the Stevens Institute of Technology have developed an algorithm that is able guess PINs and passwords with stunning accuracy based solely on motion data collected by modern wearables such as smartwatches and fitness trackers.
Yan Wang, assistant professor of computer science at the Thomas J. Watson School of Engineering and Applied Science at Binghamton University and co-author of the paper “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” said wearables can be exploited in a way that allows attackers to reproduce the trajectories of a wearer’s hand to recover the sequence of buttons pressed at an ATM, electronic door lock or keypad-controlled enterprise server.
The Backward PIN-sequence Inference Algorithm, as it’s called, relies on data collected from accelerometers, gyroscopes and magnetometers inside of wearables and can be put to use regardless of a person’s hand pose while entering the sensitive data.
Although the technique is sophisticated, the threat is very real, Wang said. Their proof-of-concept algorithm, which is essentially a keylogger for motion, was able to correctly guess PINs and passwords with 80 percent accuracy on the first try. That figure climbed to more than 90 percent given three guesses.
Wang said there are two attack scenarios. The first, called an internal attack, involves infiltrating embedded sensors in wrist-worn wearables via malware. Conversely, an attacker can perform a sniffing attack in which they position a wireless sniffer near a key-based security system. The sniffer is capable of intercepting data sent via Bluetooth between the user’s wearable and a paired smartphone.
Researchers say they don’t yet have a solid solution to prevent the attack but suggest developers insert noise data which would make it harder to garner motion data. Another idea, they said, would be to bolster encryption to curb sniffer success.
Or, you could just enter PIN and other private data using your other hand.
Image courtesy LDprod, Shutterstock