Skip to main content

Here’s why you should not type in a PIN while wearing a wearable

Apple Watch Wrist
Giuseppe Costantino/Shutterstock
Smartwatches and wearables may be great for alerting you to get on your feet and exercise, but you may not want to wear them when inputting secure PINs, like the one you punch in at the ATM.

A new paper, titled “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” shows that deciphering someone’s PIN isn’t that hard, though the paper doesn’t dive into the specific wearables that were used.

Written by researchers at the Stevens Institute of Technology and Binghamton University, the paper reveals that attackers can track the millimeter-level distances and directions of hand movements thanks to embedded sensors like accelerometers, gyroscopes, and magnetometers, in the wearable device. By tracking your exact movements, researchers were able to “derive the moving distance” of a person’s hand between key entries on key-based systems like a keyboard or ATM.

They successfully reverse-engineered the wearable’s sensors to track a person’s hand movements to see the PIN that was entered — that method is called the “Backward PIN-Sequence Inference algorithm.” The group tested more than 5,000 key-entry traces from 20 adults with different kinds of wearables. The technique provided an accuracy of 80 percent on one try, and that jumped to 90 percent with three tries.

Attackers can use this method in two ways — by installing malware directly onto the device, or by grabbing the data via the Bluetooth connection that bridges the wearable to the smartphone, according to Phys.org.

It all sounds awfully simple, but researchers do offer a solution to manufacturers and developers — insert some “noise data” to obscure the sensitive data. This solution sounds incredibly similar to differential privacy — a tool Apple is using in iOS 10 to make data-gathering more secure and anonymous. Google has also been using this technique in its Chrome browser for years.

We have reached out to the group to check which devices they tested with, but in the meantime, perhaps you should take off your wearable before you enter your secure PINs.

Updated on 07-07-2016 by Julian Chokkattu: Clarified that attackers use tracking data from the wearable to decipher PINs typed on physical key-based systems.

[amz_nsa_keyword keyword=”Portable VPN”]

Editors' Recommendations

Julian Chokkattu
Former Digital Trends Contributor
Julian is the mobile and wearables editor at Digital Trends, covering smartphones, fitness trackers, smartwatches, and more…
How we test smartwatches and wearables
The Apple Watch Ultra with the Apple Watch Series 8 and Watch SE 2.

Apple Watch Series 8 Andy Boxall/Digital Trends / Digital Trends

In many ways, choosing the best smartwatch or fitness wearable is even more difficult than choosing a new smartphone. After all, you’ll actually wear it — sometimes for 24 hours a day — and it’s likely to be seen more often than a phone, which spends time in your pocket or bag. It’s vitally important you make the right choice.

Read more
iPhone Lockdown Mode: how to use the security feature (and why you should)
Lockdown mode for iPhone

Apple takes pride in selling a promise of privacy to its customers, and to a large extent, it lives up to that promise. As cyber criminals devise new ways to target phones, with tools as sophisticated and virtually undetectable as the Pegasus spyware, Apple also keeps fortifying its devices.

One step in that direction is Lockdown Mode, an “extreme” safety measure that was introduced with iOS 16 last year. The feature blocks a lot of vectors through which a zero-click, zero-day spyware like Pegasus finds its way inside a phone. From phone calls and message attachments to shared albums and network profiles, Lockdown Mode limits those risk routes.

Read more
Here’s why the FBI says you should never use public phone chargers
Nomad Base One Max charging an iPhone and an Apple Watch.

When the nation’s premier intelligence agency issues a warning about the device sitting in your pocket and bags, you better pay attention. This time around, the FBI has warned smartphone and laptop users against juicing up their devices at public charging points — citing the risk of malware injection.

The FBI’s warning was posted on Twitter, and even though it doesn’t go into detail about the sheer scale of risk posed by public charging stations, the problem has been well documented. Public charging stations at spots like your nearest cafe, buzzy airports, or shopping malls should ideally be avoided because the outlets might be brimming with malware.

Read more