Your smartwatch may be revealing your card’s PIN code

Wearable devices bring us a whole new world of technological innovation, yet at the same time, they come with security risks, as one software engineer and former master’s student has recently documented.

In his thesis paper, Tony Beltramelli elaborated on the security hazard, highlighting that attackers can extract sensitive data – including the likes of credit card and smartphone PIN codes – by simply monitoring motion sensors across various wearable devices.

The security flaw seems to be confined to 12-key keypads, most of which are found on ATM machines and on smartphone lock screens, he reported in Deep-Spying: Spying using Smartwatch and Deep Learning.

Through ‘deep-spying’, as Mr. Beltramelli has described it, potential attackers that have gained access to the gyroscope and accelerometer in a wearable device can observe the specific motions a wrist makes when typing in, for example, a PIN code.

From this, an enterprising cybercriminal can, theoretically, deduce what digits the user inputted into the touchscreen of his or her smartwatch based on the pattern of movement.

“This architecture can achieve touchlogging and keylogging with a maximum accuracy of 73% and 59% respectively,” explained Mr. Beltramelli, who wrote his paper while studying at the IT University of Copenhagen.

“Moreover, the system is still able to infer keystrokes with an accuracy of 19% when trained and evaluated with datasets recorded from different keypads,” he added.

“This suggests that an attacker could log keys from a wide range of devices even if its classifier is trained with measurements from a different compromised device.”

This isn’t the first analysis into ‘smartwatch sensor hacks’. Last autumn, three researchers at the University of Illinois at Urbana-Champaign in the US detailed the information leakage potential of these devices on a keyboard.

“By processing the accelerometer and gyroscope signals, tracking the wrist micro-motions, and combining them with the structure of valid English words, reasonable guesses can be made about typed words,” explained He Wang, Ted Tsung-Te Lai and Romit Roy Choudhury.

“Given the excitement around a smartwatch app store, such an attack can be severely penetrating into the private lives of humans.”

Jacob Lund

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.