Is your smartwatch stealing your passwords?


A computer science student has demonstrated that software running on a smartwatch could be used to record a user’s passwords and PINs.


Unless you eschew modern technology altogether (such as reading websites), chances are that data on you is being collected. Smartphones are capable enough data sponges, but smartwatches have the potential to extend this reach even further. According to Tony Beltramelli’s master’s thesis for the IT University of Copenhagen, the sensors on the Sony SmartWatch 3 (and likely many other present and future watches) are so accurate that they can be used to sense what button you press on a 12-segment keypad with “above-average” precision.

hackingwatchimage

As seen in the video below, it appears that this ability comes from the user actually moving their hand from button to button. The wearable’s built-in accelerometer and gyroscope can sense these motions and then feed that information into a recurrent neural network. Using a deep learning algorithm, Beltramelli is able to sift through all the “noisy data” and detect patterns for various events, such as when the user moves and taps their finger on a touchscreen to unlock a PIN-protected phone or when the user enters a code on an ATM’s keypad.

Interestingly, as reported in section 6.3 of the thesis, the device did a better job of “touchlogging” — recording virtual keystrokes on a touchscreen — at 73% acuracy, versus “keylogging” — where a physical keyboard is used for input — at 59% accuracy. The touchscreen used was larger in this experiment than the keypad, apparently leading to this discrepancy.

“By their very nature of being wearable, these devices, however, provide a new pervasive attack surface threatening users privacy, among others,” Beltramelli explains. “The goal of this work is to raise awareness about the potential risks related to motion sensors built-in wearable devices and to demonstrate abuse opportunities leveraged by advanced neural network architectures.”

As you can imagine, there are still a few limitations that make this type of approach with a smartwatch impractical as an attack against specific targets. For starters, it only works if the person is using the arm that the gadget is on. So, if you have a watch and are concerned about spying, you can simply strap it onto your less dominant wrist. Or alternatively, you could make a habit of typing with three fingers on numeric keypads.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s