With all the personal data it collects, your wrist-mounted wearable computer is almost definitely going to betray you at some point, whether that’s a reminder to get up and do another 5,000 steps this afternoon or accidentally giving away your ATM PIN. According to a new paper, ominously titled “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN” it is surprisingly simple to determine your PIN or password by reverse-engineering motion sensor data from a smartwatch or fitness tracker.
In the paper, a team of researchers from the Stevens Institute of Technology and Binghamton University describe a deceptively straightforward method that can reportedly guess your password with about 80 percent accuracy on the first attempt. Although the paper doesn’t name specific devices that are vulnerable, it does note that many record your hand’s movements with enough detail to precisely identify keypresses.
“The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” .While the data alone won’t tell an attacker you’re using your birthday as your PIN, the researchers built their own algorithm that can decipher the motion data even if they don’t know anything about the keypad you’re poking at. What’s more: an attacker can get this data either by using malware installed directly on the device or remotely by eavesdropping on the Bluetooth connection that sends the data to your smartphone.
As for a solution, the research team suggests developers should obfuscate sensitive data by introducing “a certain type of noise data” that would allow it to still be used for fitness tracking, but not keystroke-guessing. Or, you could always take a low-tech approach and remember to enter your passwords with the hand that isn’t wearing a highly sophisticated motion tracking device.