Binghamton University and the Stevens Institute of Technology study found that it's possible for attackers to figure out secret access codes by tracking and measuring "fine-grained" hand movements used when inputting security information into wearable devices.
In 5,000 key-entry tests for three different security systems over nearly a year, the researchers found they were able to successfully crack 80 percent of PINs and passwords on the first try. With three tries, the accuracy of the hacks rose to more than 90 percent.
Because there's no immediate way to avoid such vulnerabilities with wearables, the researchers said that it's probably best not to enter security data into such devices if there's any chance of being observed either directly or remotely.
The researchers also suggested that developers find ways to "inject a certain type of noise" into wearable data so the devices can still be used effectively to count steps or monitor other physical activities without giving away the finer hand motions involved in typing.
Yan Wang, an assistant professor of computer science at New York state's Binghamton University, described the team's findings in a paper titled, "Friend or Foe? Your Wearable Devices Reveal Your Personal PIN." Presented recently at the annual Association for Computing Machinery Asia Conference on Computer and Communications Security in China, the paper was co-authored with Stevens Institute lead researcher Yingying Chen and colleagues Chen Wang, Xiaonan Guo and Bo Liu.
Wang said there are two ways a hacker can monitor a wearable owner's hand movements to figure out PINs and passwords: an internal attack that uses malware to access data from embedded sensors in a device; and an external hack employing a wireless sniffer to pick up Bluetooth signals sent between a wearable and an associated smartphone. "The threat is real, although the approach is sophisticated," Wang said in a Binghamton University statement.
Wearables, such as smartwatches, usually contain a variety of internal sensors that monitor different movements and device orientations. These sensors can include accelerometers, gyroscopes and magnetometers.
The Binghamton-Stevens Institute researchers developed a "Backward PIN-sequence Inference Algorithm" that they applied to the millimeter-scale motions detected by such sensors. The algorithm enabled them to estimate the distances and directions between successive keystrokes, which then allowed them to determine PINs and passwords with "alarming accuracy."
Such vulnerabilities raise security concerns not only for fitness trackers and smartwatches, but for other health and medical devices whose size and computing power often don't allow for robust security measures, the researchers said. In addition to injecting more noise into data from wearables to reduce the risks of such hacking, device developers should also work on improving encryption of data traveling between wearables and host devices, usually smartphones.