“It knows too much,” says Wang, an assistant professor of computer science at Binghamton University in Upstate New York. “If you are using a smart watch, you need to be cautious.”
He would know. Wearable devices can give away your PIN number, according to research he and colleagues presented in June at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS) in Xi’an, China. By combining smart watch sensor data with an algorithm to infer key entry sequences from even the smallest of hand movements, the team was able to crack private ATM PINs with 80 percent accuracy on the first try and more than 90 percent accuracy after three tries.
“I have to admit, at the beginning, I thought this would be science fiction,” says Wang. “But it can actually be done. There are just so many sensors on these wearable devices. It provides sufficient information of your hand movements.”
There has long been concern over the security of smart watches, fitness trackers, and other internet-connected wearables that gather sensitive information, such as what time of day a user leaves their home. To infer user inputs on keyboards, past cyber security studies have used cameras to observe how a hand moves over a keypad or machine-based learning techniques to train a program to detect user movements.
Now, spying on a PIN just got way easier, thanks to sensors that measure acceleration, orientation and direction in our wrist devices. Led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, the researchers conducted 5,000 key-entry tests on three different keypads—a detachable ATM pad, a keypad on ATM machine, and a QWERTY keyboard. Twenty adults performed the tests wearing one of three different devices: the LG W150 or Moto360 smart watches or the InvensenseMPU-9150, a nine-axis motion tracking device.
The team downloaded sensor data from the tests, which recorded hand movements down to the millimeter. Using an algorithm they called the “Backward PIN-sequence Inference Algorithm,” the team was able to break the codes with alarming accuracy.
The most challenging part of the process was eliminating errors that emerge when trying to calculate distance moved based on acceleration, says Wang. The team found the best way to minimize those errors was to work backwards: Most people end a PIN entry by pressing ‘Enter’, so the team started with the Enter key, then traced backwards to each preceding key—a hacker’s version of connect-the-dots.
The method does not require an attacker to be anywhere near an ATM or other key-entry pad (such as an electronic door lock or computer keyboard). Instead, data can be stolen by either a wireless sniffer placed close to a keypad to capture Bluetooth packets sent by the wearable to a smartphone, or by installing malware on the wearable or smartphone to eavesdrop on the data and send it to the attacker’s server.
Wang is unaware of anyone currently stealing PIN numbers in this way, but he says it would not be a stretch. To eliminate this security breach, wearable manufacturers could better secure the data, or even just add noise so it is not so easily translated into physical hand movements.
Until then, you can mask your own data by moving your hand randomly between key clicks when entering a PIN number. “It may look weird, but it helps,” says Wang. “If you’re just moving from key to key, we can track that.”