Hackers can steal your ATM pin from your smart devices

hackers smartwatch

Who doesn’t love good tech? We all do.  Smart devices are exploding onto the tech scene, from smartwatches, google glass to fitness trackers, wearable technology is going mainstream. But how safe are they?

A new research has proved how smartwatches and fitness trackers are recording your movements and can be exploited by attackers to steal your ATM PIN or password.

The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for “attackers to reproduce the trajectories” of your hand and “recover secret key entries.”

According to the report by Yan Wang, an assistant professor of computer science at the Thomas J. Watson School of Engineering and Applied Science at Binghamton University.

Wang should know. When he was a graduate student at the Stevens Institute of Technology he was one of five researchers on a team lead by Yingying Chen who developed a technique which combined data from embedded sensors in wearables with an algorithm; it could crack PINS and passwords with an 80% accuracy in just one try. After three tries, they achieved a 90% accuracy.

He admitted, “At the beginning, I thought this would be science fiction, but it can actually be done. There are just so many sensors on these wearable devices. It provides sufficient information of your hand movements.”

Over an 11-month period, the researchers ran 5,000 key-entry tests on three key-based security systems; they determined there is a “serious security breach of wearable devices in the context of divulging secret information (i.e., key entries).”

By using data from “accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” the researchers could record a hand’s fine-grained movements. Then they used their “Backward PIN-sequence Inference Algorithm” to crack the codes with “alarming accuracy.” This is the first technique to reveal personal PINs using wearable devices without needing contextual clues about the keypad.

The research paper, “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” won “Best Paper Award” at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security.

“Wearable devices can be exploited,” Wang warned.

Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.

According to the Binghamton University news release, Wang added:

“The threat is real, although the approach is sophisticated. There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”

There are not enough robust security measures in wearables and the researchers did not come up with a solution to the problem. They suggested better encryption between wearable devices and host operating systems. They also believe developers could “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”

If you don’t want to give up your wearable, but you also don’t want it spying on your PIN and passwords, then Wang advised moving your hand around randomly in-between key clicks when entering your PIN as that would mask the data. “It may look weird, but it helps,” he said. “If you’re just moving from key to key, we can track that.”

Darlene Storm (not her real name) is a freelance writer with a background in information technology and information security.