Skip to content ↓ | Skip to navigation ↓

Quick question – are you right or left handed?

That’s a harmless enough question, but here’s the follow-up: do you wear a smartwatch or fitness tracker on that same wrist?

If you do, then you may want to rethink whether that was a sensible choice after you’ve read about some fascinating research done by a group of scientists from Binghamton University.

As Science Daily reports, researchers from Binghamton University and the Stevens Institute of Technology have been looking at ways in which the sensors in wearable technology could potentially help hackers crack our private PIN codes and passwords.

In a paper entitled “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN” the researchers describe how they were able to record minute fine-grained movements from the sensors embedded in wearable fitness tracking devices and then – with the aid of a computer algorithm – determine the likely PIN code or security password entered:

“In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries. In particular, our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user’s hand between consecutive key entries regardless of the pose of the hand. Our Backward PIN-Sequence Inference algorithm exploits the inherent physical constraints between key entries to infer the complete user key entry sequence.”

According to Yan Wang, an assistant professor of computer science within Binghamton University and a co-author of the study, they were able to crack private PIN codes with 80% accuracy on the first attempt, and with more than 90% accuracy after three tries:

“To our knowledge [this] is the first technique that reveals personal PINs leveraging wearable devices without the need for labeled training data and contextual information.”

It certainly sounds impressive, but how would a bad actor put such a sophisticated attack into practice?

BluetoothOne method might be to infect the actual wearable device itself with malware, collecting wrist movement data as a security system is accessed and sending data back to the attackers for analysis.

Alternatively, Wang proposes that a device could be secreted close to the ATM PIN pad or key-based security system to eavesdrop on data as it is sent from the device back to an associated smartphone – typically via Bluetooth.

Of course, that particular approach relies upon the detailed sensor data being synced and shared with a smartphone at the time the target is using the ATM.

Research conducted in the past has proven that many fitness trackers are falling short when it comes to securing users’ data, suggesting that weaknesses that could be exploited by hackers are not uncommon.

As you can probably see, the kind of attack described by the researches is unlikely to become widespread any time soon, but it is – nonetheless – interesting and imaginative research. And it may shine a light on the types of attacks that some intelligence agencies and law enforcement authorities might be tempted to undertake against people of interest.

Me? I’m not planning to lose any sleep over this. But I am going to carry on typing in my PIN code with my right hand, while shielding the buttons with my fitness tracker-wearing left.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.