Did your smart watch and fitness tracker just give away your PIN?
12 July 2016
Wearable devices – such as Fitbits, Jawbones, Nike+, Apple Watches and the like – are white-hot. The tech segment is already producing an estimated $14 billion (€12.7 billion) in sales worldwide, and expected to more than double within four years, climbing to north of $30 billion (€27 billion).
But a new report from the Stevens Institute of Technology, New Jersey, USA, reveals that those cool wearables just may leak information as you use them. Stevens research engineers discovered that the motions of your hands as you use PIN pads, which is continually and automatically recorded by your device, can be hacked in real time and used to guess your PIN with more than 90 per cent accuracy within a few attempts.
Electrical and computer engineering professor Yingying Chen and three of her graduate students carried out the tests in Stevens’ labs, assisted by Stevens’ alumnus Dr Yan Wang, now a professor at Binghamton University, New York.
“This was surprising, even to those of us already working in this area,” said Chen, a multiple-time National Science Foundation awardee. “It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”
The Stevens team outfitted 20 volunteers with an array of fitness wristbands and smart watches, then asked them to make some 5,000 sample PIN entries on keypads or laptop keyboards while ‘sniffing’ the packets of Bluetooth low-energy (BLE) data transmitted by sensors in those devices to paired smartphones.
‘Sniffing’ and external attacks
“There are two kinds of potential attacks here: sniffing attacks and internal attacks,” explained Chen. “An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.”
After capturing accelerometer, gyroscope and magnetometer data from the devices and using it to calculate typical distances between and directions of consecutive key entries, Chen’s team developed a backward-inference algorithm to predict four-digit PIN codes.
“These predictions were assisted by the standardised layout of most PIN pads and keyboards – plus the knowledge that nearly all users will hit ‘enter’ as their final significant hand motion after entering a code,” she noted.
While some devices proved more secure than others, the algorithm’s first guess succeeded an astonishing 80 per cent of the time, on average. Within five tries, its accuracy climbed to 99 per cent on some devices. “Further research is needed, and we are also working on countermeasures,” concluded Chen, adding that wearables are not easily hackable – but they are hackable.
A paper on the new research, ‘Friend or Foe? Your Wearable Devices Reveal Your Personal PIN’, received the Best Paper Award at the ACM Conference on Information, Computer and Communications Security in Xian, China in May.
Chen Wang, Xiaonan Guo, Yan Wang, Yingying Chen, Bo Liu. ‘Friend or Foe? Your Wearable Devices Reveal Your Personal PIN’. ASIA CCS ’16 Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, 2016; DOI: 10.1145/2897845.2897847