Your smartwatch is giving away your ATM pin

Wearable devices can give away your passwords, according to new research.

In the paper “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN” scientists from Binghamton University and the Stevens Institute of Technology combined data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, along with a computer algorithm to crack private PINs and passwords with 80-percent accuracy on the first try and more than 90-percent accuracy after three tries.

Yan Wang, assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton University is a co-author of the study along with Chen Wang, Xiaonan Guo, Bo Liu and lead researcher Yingying Chen from the Stevens Institute of Technology. The group is collaborating on this and other mobile device-related security and privacy projects.

“Wearable devices can be exploited,” said Wang. “Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”

Researchers conducted 5 000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of technologies over 11 months. The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose. Those measurements lead to distance and direction estimations between consecutive keystrokes, which the team’s “Backward PIN-sequence Inference Algorithm” used to break codes with alarming accuracy without context clues about the keypad.

According to the research team, this is the first technique that reveals personal PINs by exploiting information from wearable devices without the need for contextual information.

“The threat is real, although the approach is sophisticated,” Wang added. “There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”

The findings are an early step in understanding security vulnerabilities of wearable devices. Even though wearable devices track health and medical activities, their size and computing power doesn’t allow for robust security measures, which makes the data within more vulnerable to attack.

The team did not have a solution for the problem in the current research, but did suggest that developers, “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”

The team also suggests better encryption between the wearable device and the host operating system.

Friend or Foe

The mutual-friends feature on social networks such as Facebook, which displays users’ shared friendships, might not be so “friendly.”

Often revered for bringing people together, the mutual-friends feature on Facebook actually creates myriad security risks and privacy concerns according to a University of Pittsburgh study. The study demonstrates that even though users can tailor their privacy settings, hackers can still find private information through mutual-friends features.

Using computer simulation programs and an offline Facebook dataset containing 63 731 users, the researchers first demonstrated a “friend exposure” attack, exploring how many private friends an “attacker” could find of a specific target user. The attacks were tested on 10 randomly chosen user groups with sizes ranging between 500 and 5 000 individuals, as well as sample groups that were computer generated based on shared interests across user profiles. The same process was used for the “distant neighbor exposure attack,” through which the attacker’s goal was to identify private distant neighbors from the initial target. These distant neighbors indicate users that are friends of friends of the target user (two degrees of separation) or even friends of friends of friends of the target user (three degrees of separation).

Finally, the team initiated a “hybrid attack,” in which an attacker tried to identify both the target’s private friends and distant neighbors.

They found that an attacker identified more than 60 percent of a target’s private friends in the “mutual-friend based attack.” Likewise, an attacker could find, on average, 67 percent of a target’s private distant neighbors by using 100 compromised user accounts.

The study shows the need for better privacy-protection settings to mitigate the problem — those that can also be easily navigated by users.

The paper, Mutual-friend Based attacks in Social Network Systems, was first published online April 22 in Computers & Security.