Hackers Can Steal Your ATM PIN from Your Smartwatch Or Fitness Tracker: Could wearing a fitness tracker or smartwatch make it easier for scammers to exploit your private PIN? That’s the conclusion of a shocking new study released this month.
Wearable technology has become so commonplace these days — one wouldn’t automatically suspect their wrist to be the place where hackers or cyber criminals would strike next.
“Wearable devices can be exploited. Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks, and keypad-controlled enterprise servers,” said Yan Wang, assistant professor at Binghamton University in the US.
In the paper, “Friend or Foe?: Your Wearable Devices Reveal Your Personal Pin,” researchers from Binghamton University and the Stevens Institute of Technology described how, with the help of a computer algorithm, they used data collected by these devices to crack passwords, which they managed to do with 80% accuracy on the first try and more than 90% accuracy after three tries.
How they Retrieve Passwords and PINs Using this Algorithm
Researchers team say their “Backward PIN-Sequence Inference” algorithm can be used to capture anything a person type on any keyboard – from automatic teller machine or ATM keypads to mobile keypads – through infected smartwatches, even if the person makes the slight hand movements while entering PINs.
Over 11 months, the researchers performed 5,000 key-entry tests on three key-based security systems, including an ATM, while 20 adults wore a variety of devices, such as activity trackers and smartwatches.
Typically, a hacker would need to install a video camera or fake keypad in order to uncover personal information, the researchers wrote.
However in this work, they found wearable devices “can be exploited to discriminate millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes, and magnetometers that are used inside the wearable technologies, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries.”
Methods Of Attacks
According to the research team, this is the first technique that reveals personal PINs by exploiting information from wearable devices without the need for contextual information.
“The threat is real, although the approach is sophisticated,” Wang added. “There are two attacking scenarios that are achievable: internal and sniffing attacks. In an internal attack, attackers access embedded sensors in wrist-worn wearable devices through malware. The malware waits until the victim accesses a key-based security system and sends sensor data back. Then the attacker can aggregate the sensor data to determine the victim’s PIN. An attacker can also place a wireless sniffer close to a key-based security system to eavesdrop sensor data from wearable devices sent via Bluetooth to the victim’s associated smartphones.”
Although researchers did not give a solution for the problem but suggested that developers can “inject a certain type of noise to data so that it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts”.
Another simple way is to not use smartwatch or sensor tracking gadgets while ongoing with financial transactions – or While entering your passwords or PINs always use only the hand that is not having a wearable device with the highly sophisticated motion tracker.