Research reveals threat of wearables leaking password details

(c)iStock.com/Blablo101

Researchers from Binghamton University and the Stevens Institute of Technology have revealed that wearable devices have the ability to leak passwords.

In the paper, titled “Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN”, the researchers collated data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, along with a computer algorithm to ascertain PINs and passwords. The team managed to crack the pin on the first attempt with an 80% accuracy rate and after three attempts with 90% accuracy.

Yan Wang, assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton University is a co-author of the study along with Chen Wang, Xiaonan Guo, Bo Liu and lead researcher Yingying Chen from the Stevens Institute of Technology.

Wang said: “Wearable devices can be exploited. Attackers can reproduce the trajectories of the user's hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers. The threat is real, although the approach is sophisticated.

“There are two attacking scenarios that are achievable: internal and sniffing attacks”, added Wang. “In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim's PIN.

“An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim's associated smartphones.”

In order to mitigate the risk associated, the team suggests that developers “inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.” The team also suggests better encryption between the wearable device and the host operating system.

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.