(pc-Google Images) |
Scientists from the Stevens Institute of Technology and Binghamton University say that if you combine data from embedded sensors in wearable technologies, such as smart watches and fitness trackers, with a PIN cracking algorithm; you have an 80% chance of identifying a PIN code from the first try and an over 90% chance of cracking it in 3 tries.
Led by Professor Yingying Chen from the Stevens Institute of Technology with the assistance of four graduate students: Chen Wang, Xiaonan Guo, Yan Wang and Bo Liu, conducted 5,000 key-entry tests on three key-based security systems, including an ATM, with 20 adults wearing a variety of technologies over 11 months.
"This was surprising, even to those of us already working in this area," says Chen, a multiple-time National Science Foundation (NSF) awardee. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques."
"There are two kinds of potential attacks here: sniffing attacks and internal attacks. An adversary can place a wireless 'sniffer' close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data”, added Chen.
Yan Wang from Thomas J. Watson School of Engineering and Applied Science at Binghamton University who is a co-author of the study said, “Wearable devices can be exploited. Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers.”
The team has been able to develop a backward-inference algorithm to predict four-digit PIN codes after obtaining from accelerometers, gyroscopes and magnetometers data from the devices.
The researchers are working on the countermeasures for this problem but suggest that developers "inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts".