Hackers Can Steal Your ATM PIN from Your Smartwatch Or Fitness Tracker

Here is something to think about:
Smartwatch

As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially.

A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code.

The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for “attackers to reproduce the trajectories” of your hand and “recover secret key entries.”

In the paper, titledFriend or Foe?: Your Wearable Devices Reveal Your Personal PIN,” computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and over 90% of the time with 3 tries.

Retrieving Passwords and PINs Using this Algorithm

Researchers say their “Backward PIN-Sequence Inference” algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs.

“The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose,” reports Phys.org.

Although the researchers do not name specific wearable devices that are vulnerable, they note that attackers can record information about your hand movements…

…either directly by infecting your wearable device with malware or remotely by intercepting the Bluetooth connection that links your wearable device to your phone.

The bottom Line:
The team says it doesn’t have any robust solution to prevent this attack but recommends manufacturers and developers to confuse attackers by inserting “a certain type of noise data” that would allow the device to be still used for fitness tracking, but not for guessing keystrokes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.