A new paper, titled “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” shows that deciphering someone’s PIN isn’t that hard, though the paper doesn’t dive into the specific wearables that were used.
Written by researchers at the Stevens Institute of Technology and Binghamton University, the paper reveals that attackers can track the millimeter-level distances and directions of hand movements thanks to embedded sensors like accelerometers, gyroscopes, and magnetometers, in the wearable device. By tracking your exact movements, researchers were able to “derive the moving distance” of a person’s hand between key entries on key-based systems like a keyboard or ATM.
They successfully reverse-engineered the wearable’s sensors to track a person’s hand movements to see the PIN that was entered — that method is called the “Backward PIN-Sequence Inference algorithm.” The group tested more than 5,000 key-entry traces from 20 adults with different kinds of wearables. The technique provided an accuracy of 80 percent on one try, and that jumped to 90 percent with three tries.
Attackers can use this method in two ways — by installing malware directly onto the device, or by grabbing the data via the Bluetooth connection that bridges the wearable to the smartphone, according to Phys.org.
It all sounds awfully simple, but researchers do offer a solution to manufacturers and developers — insert some “noise data” to obscure the sensitive data. This solution sounds incredibly similar to differential privacy — a tool Apple is using in iOS 10 to make data-gathering more secure and anonymous. Google has also been using this technique in its Chrome browser for years.
We have reached out to the group to check which devices they tested with, but in the meantime, perhaps you should take off your wearable before you enter your secure PINs.
Updated on 07-07-2016 by Julian Chokkattu: Clarified that attackers use tracking data from the wearable to decipher PINs typed on physical key-based systems.
Editors' Recommendations
- Does the Samsung Galaxy A54 have wireless charging?
- Our honest thoughts on the Galaxy S23 Ultra’s 200MP camera
- Your phone may play a loud alarm on April 23 — here’s why
- Could this be our first look at the Samsung Galaxy Z Fold 5?
- You should pay attention to this cheap, colorful phone with a 200MP camera
