The research, which is the result of a cooperation between Binghamton University and the Stevens Institute of Technology in New York, provides convincing evidence that fitness trackers and smartwatches are vulnerable to security breaches.
Traditional Attacks on Key-Based Systems
Traditional attacks on a key-based security system, such as an ATM, may include a hidden camera or a skimmer. A skimmer, which is placed in the card slot of the ATM, records a victim's sensitive data, including their PIN. To the untrained eye, skimmers can be extremely difficult to identify. The installation of equipment meant to counter skimmers makes such attacks less successful.
Some previous attacks recorded the sound of typing with a keyboard and utilize linguistic models to find the keys that are pressed.
Another technique uses the multipath fading of audio signals to find the keys pressed on a keyboard. There are also methods which rely on a machine-learning-based process.
Wearable Devices and Embedded Sensors
The term "wearable device" can cover a wide variety of applications including fitness tracking, detection of epileptic seizures, user authentication, and more. Because they have such a wide array of applications, many different sensors need to be incorporated into a wearable device. Therefore, these devices are naturally gathering as much information as possible so that they can successfully achieve their intended goals.
Accelerometers, gyroscopes, and magnetometers are some of the widely-used sensors in wearable devices. These sensors can keep track of all of a person’s movements.
The question is: Are we willing to have all of these pieces of information sensed and recorded?
What if a wearable device records our movements when we are accessing a cash machine or an electronic door lock?
Perhaps most importantly: Is a wearable device capable of revealing sensitive information such as PIN numbers or passwords?
The researchers from Binghamton University and the Stevens Institute of Technology in New York aimed to answer this question.
Their research suggests that, although the algorithms and techniques required to attain data this way are not simple, the security of wearable devices is indeed quite compromised. Their work considered a more general case (i.e., a context- and training-free situation) that shows a user’s PIN may be revealed by relying on a wrist-worn wearable device with no additional equipment. Hence, this approach is less likely to attract any attention.
A New Method of Data Skimming
The new research presents an algorithm that uses low-fidelity sensors of a wearable device to extract the required data. The unencrypted output data of the embedded sensors can be gathered either by means of data sniffing in the Bluetooth communications or by installing a malware app.
Note that most wearable devices use Bluetooth Low Energy (BLE), which is less secure compared with previous versions of Bluetooth. In fact, as a dedicated paper on this subject suggests, with low energy comes low security. This makes data sniffing easier for the adversary.
Instead of data sniffing, however, someone looking to skim data may choose to launch an internal attack. One method of accomplishing this is to install a malware app onto a wearable device. The app could then send the movement data of the sensors to be remotely interpreted.
The “Backward PIN-Sequence Inference” algorithm used in this research utilizes the physical constraints of keypads to help interpret the movement data. It essentially enables researchers to successfully guess PIN sequences. In order to work, it requires knowledge of the targeted keypad's dimensions and layout.
The Challenges of the New Method
This new attack method is not without its obstacles.
For one thing, it requires millimeter-level detection of a victim’s hand movements. This is a big challenge considering the relatively low-grade sensors currently available in most wearable devices. Additionally, such sensitive sensors will also read unconscious movements and naturally-occurring vibrations of the wearer's hand.
Beyond that, this method attempts to discover PIN and password sequences which normally consist of numbers. That means contextual information or dictionaries cannot be employed as they would be able to with codes involving letters or words.
Finally, the data gathered from the sensors is based on the coordinates of the wearable device. These coordinates are not necessarily aligned with that of the keypad. Translating the gathered information to a fixed coordinate is another important challenge of this attack.
Despite all these issues, the designed attack is still successful in most cases. This method has been extensively tested using two types of smartwatches and a prototype of a wearable. In 80% of the experiments, the new technique was successful on the first attempt. With three attempts, the chance of a successful guess is over 90%.
Researchers believe that the results of this study may be extended to extract the data typed on a keyboard.
In the rest of this article, we will briefly review some of the concepts of this study. For more information, please read this recently-published paper, Friend or Foe? Your Wearable Devices Reveal Your Personal PIN, which presents the concepts of this attack in great detail.
Acceleration Patterns of Pressing Keys
When pressing different keys one after another, we unconsciously follow a unique pattern of accelerations and decelerations.
Assuming that the z-axis is perpendicular to the keypad plane and points outwards from it, we will have patterns similar to those illustrated by the red curve in Figure (1):
Figure (1) Acceleration patterns when pressing keys one after another. Image courtesy of the Stevens Institute of Technology (PDF).
A minimum in the acceleration curve occurs just the moment our finger touches the key. A maximum is expected when the finger presses the key to the keypad bottom. Such unique patterns help us to find the exact moments of pressing keys.
The movement from one key to another is nearly in between two consecutive key pressing, point (3) in the figure. At this point, an acceleration followed by a deceleration is recognizable in the X or the Y axis.
Considering all these patterns in the three axes, we can find the distance and direction of hand movements.
Figure (2) shows examples of motion along either the X or the Y axis. Again, the up-and-down acceleration patterns are easily recognizable:
Figure (2) Acceleration and deceleration patterns in the (a) X axis (b) Y axis. Image courtesy of the Stevens Institute of Technology (PDF).
Note that the sensor readings are based on the coordinate of the wearable device, which is not fixed. Therefore, although it is possible to find the distance and direction of movements using the above patterns, we need to translate this data to the coordinate of the keypad.
This can be done by finding the relation between the coordinates of the wearable device, the keypad coordinates, and the world coordinates.
Hand movements can be used to find the relation between wearable coordinates and the world coordinates.
On the other hand, the relation between the keypad coordinates and the world coordinates can be easily found by placing a sensor (e.g., a smartphone, a smartwatch, or an IMU) that is aligned with the keypad's coordinates. This again relies on knowing which ATM the victim is going to use.
This research does not provide a solution to the problem of vulnerable security of wearable devices. However, it highlights the need for data encryption, especially in the less-secure IoT communications. The researchers also suggest a deliberate injection of noise in the data obtained from the sensors. This must be done in a way that fine-grained movement detection becomes impossible for the attacker, but the intended goals of the wearable device are not adversely affected.