Typing PIN numbers and passwords into a smartwatch or similar wearable can leave you vulnerable to hackers, according to researchers from Binghamton University and the Stevens Institute of Technology. The researchers found that it’s possible for attackers to figure out secret access codes by tracking and measuring “fine-grained” hand movements used when inputting security information into wearable devices.
In 5,000 key-entry tests for three different security systems over nearly a year, the researchers found they were able to successfully crack 80 percent of PINs and passwords on the first try. With three tries, the accuracy of the hacks rose to more than 90 percent.
Because there’s no immediate way to avoid such vulnerabilities with wearables, the researchers said that it’s probably best not to enter security data into such devices if there’s any chance of being observed either directly or remotely.
The researchers also suggested that developers find ways to “inject a certain type of noise” into wearable data so the devices can still be used effectively to count steps or monitor other physical activities without giving away the finer hand motions involved in typing.
‘Sophisticated’ Two-Pronged Attack Method
Yan Wang, an assistant professor of computer science at New York state’s Binghamton University, described the team’s findings in a paper titled, “Friend or Foe? Your Wearable Devices Reveal Your Personal PIN.” Presented recently at the annual Association for Computing Machinery Asia Conference on Computer and Communications Security in China, the paper was co-authored with Stevens Institute lead researcher Yingying Chen and colleagues Chen Wang, Xiaonan Guo and Bo Liu.
Wang said there are two ways a hacker can monitor a wearable owner’s hand movements to figure out PINs and passwords: an internal attack that uses malware to access data from embedded sensors in a device; and an external hack employing a wireless…