Don't wear your passwords on your sleeve

By Liz Meszaros, MDLinx
Published July 8, 2016

Key Takeaways

Hackers may be plugging in to your newest wearable technology—such as Smartwatches and fitness trackers—to discover all of your PINs and passwords, according to researchers from Binghamton University, State University of New York, Binghamton, NY, and the Stevens Institute of Technology.

They found that hackers can use the combined data from embedded sensors found in these new technologies with a computer algorithm to crack private PINs and passwords with 80% accuracy on the first try and 90% accuracy after three tries.

Due to their small size and computing power, robust security measures are not possible in these wearable devices, and thus, they are more vulnerable to hackers.

“Wearable devices can be exploited,” said co-author Yan Wang, PhD, assistant professor of computer science, Thomas J. Watson School of Engineering and Applied Science at Binghamton University. “Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks, and keypad-controlled enterprise servers.”

Over 11 months, Dr. Wang and fellow researchers performed 5,000 key-entry tests on three key-based security systems that included an ATM in 20 adults wearing various new technologies. They found that they could record millimeter-level information of fine-grained hand movements from the accelerometers, gyroscopes, and magnetometers contained in these devices. These measurements could then be used by a “Backward PIN-sequence Interference Algorithm” to break codes without context clues about the keypad.

“The threat is real, although the approach is sophisticated. There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware,” explained Dr. Wang.

“The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim's PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones,” he added.

Possible fixes for this vulnerability could include better encryption between the host operating system and the devices, suggested these researchers. Dr. Wang is currently collaborating on this and other studies of mobile device security and privacy with co-authors Chen Wang, Xiaonan Guo, Bo Liu, and lead researcher Yingying Chen from the Stevens Institute of Technology, Hoboken, NJ.

These results were published in proceedings of the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China, on May 30-June 3, where it received the “Best Paper Award.”

The research was funded, in-part, by a grant from the National Science Foundation and the United States Army Research Office.

Share with emailShare to FacebookShare to LinkedInShare to Twitter