It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques
Hoboken, NJ (PRWEB) July 13, 2016
Wearable devices — Fitbits, Jawbones, Nike+, Apple Watches and the like — are white-hot. The tech segment is already producing an estimated $14 billion in sales worldwide, and expected to more than double within four years, climbing to north of $30 billion.
But a new Stevens Institute of Technology research report reveals those cool wearables just may leak information as they are used. Stevens researchers discovered that the motions of hands using PIN pads, which are continually and automatically recorded by wearable devices, can be hacked in real time and used to guess PINs with more than 90 percent accuracy within a few attempts.
"This was surprising, even to those of us already working in this area," says Chen, a multiple-time National Science Foundation (NSF) awardee. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques."
The Stevens team outfitted 20 volunteers with an array of fitness wristbands and smart watches, then asked them to make some 5,000 sample PIN entries on keypads or laptop keyboards while "sniffing" the packets of Bluetooth low energy (BLE) data transmitted by sensors in those devices to paired smartphones.
"There are two kinds of potential attacks here: sniffing attacks and internal attacks," explains Chen. "An adversary can place a wireless 'sniffer' close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data."
After capturing accelerometer, gyroscope and magnetometer data from the devices and using it to calculate typical distances between and directions of consecutive key entries, Chen's team developed a backward-inference algorithm to predict four-digit PIN codes.
"These predictions were assisted by the standardized layout of most PIN pads and keyboards — plus the knowledge that nearly all users will hit 'enter' as their final significant hand motion after entering a code," she notes.
While some devices proved more secure than others, the algorithm's first guess succeeded an astonishing 80 percent of the time, on average. Within five tries, its accuracy climbed to 99 percent on some devices.
"Further research is needed, and we are also working on countermeasures," concludes Chen, adding that wearables are not easily hackable — but they are hackable.
A paper on the new research, Friend or Foe? Your Wearable Devices Reveal Your Personal PIN, received the Best Paper Award at the ACM Conference on Information, Computer and Communications Security (ASIACCS) in Xian, China in May.
About Stevens Institute of Technology
Stevens Institute of Technology, The Innovation University®, is a premier, private research university situated in Hoboken, N.J. overlooking the Manhattan skyline. Founded in 1870, technological innovation has been the hallmark and legacy of Stevens’ education and research programs for more than 140 years. Within the university’s three schools and one college, 6,600 undergraduate and graduate students collaborate with nearly 300 full-time faculty members in an interdisciplinary, student-centric, entrepreneurial environment to advance the frontiers of science and leverage technology to confront global challenges. Stevens is home to three national research centers of excellence, as well as joint research programs focused on critical industries such as healthcare, energy, finance, defense, maritime security, STEM education and coastal sustainability. The university is consistently ranked among the nation’s elite for return on investment for students, career services programs and mid-career salaries of alumni. Stevens is in the midst of a 10-year strategic plan, The Future. Ours to Create., designed to further extend the Stevens legacy to create a forward-looking and far-reaching institution with global impact