Smart Watches and Fitness Trackers may be Hackable

This post is also available in: עברית (Hebrew)

Wearable devices (Fitbits, Apple Watches etc.) tech segment, estimated at $14 billion in sales worldwide, is expected to more than double within four years.

But according to the Homeland Security News Wire, a new research report reveals those wearables may leak information as you use them. Stevens Institute of Technology researchers discovered that the motions of your hands as you use PIN pads, which is continually and automatically recorded by your device, can be hacked in real time and used to guess your PIN with more than 90 percent accuracy within a few attempts.

Lab tests revealed that “it may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”

The Stevens team outfitted 20 volunteers with an array of fitness wristbands and smart watches, then asked them to make some 5,000 sample PIN entries on keypads or laptop keyboards while “sniffing” the packets of Bluetooth low energy (BLE) data transmitted by sensors in those devices to paired smartphones.

“There are two kinds of potential attacks here: sniffing attacks and internal attacks,” explains Professor Chen. “An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses  sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.”

After capturing  accelerometer, gyroscope and magnetometer data from the devices and using it to calculate typical distances between and directions of consecutive key entries, Chen’s team developed a backward-inference algorithm to predict four-digit PIN codes.

“These predictions were assisted by the standardized layout of most PIN pads and keyboards — plus the knowledge that nearly all users will hit ‘enter’ as their final significant hand motion after entering a code,” she notes.

While some devices proved more secure than others, the algorithm’s first guess succeeded an astonishing 80 percent of the time, on average. Within five tries, its accuracy climbed to 99 percent on some devices.

Chen concluded that wearables are not easily hackable — but they are hackable.