Wearable devices can leak PINs
20 July, 2016
category: Corporate, Digital ID, Financial
With the uproar over mobile biometrics lately, some would say consumers are better off with PINs and passwords. But a recent study found that hackers could access a devices’ PIN via motion sensing data from wearable devices.
“Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN” states that there is potentials a serious security breach with wearable devices. Previously, a fraudster would need a video camera or fake keypad to obtain a PIN but some wearable devices can also record such information.
“In this work, we show that a wearable device can be exploited to discriminate millimeter-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries,” the report states.
The researchers created a Backward PIN-Sequence Inference algorithm that exploits the physical constraints between key entries to infer the PIN.
Extensive experiments were conducted with more than 5,000 key entry traces collected from 20 adults for key-based security systems, such as ATM keypads and regular keyboards, through testing on different kinds of wearables.
Results demonstrate that such a technique can achieve 80% accuracy with only one try and more than 90% accuracy with three tries, which to our knowledge, is the first technique that reveals personal PINs leveraging wearable devices without the need for labeled training data and contextual information.
While this research is troubling, don’t go throwing away your fitness trackers and smart watches just yet, says Paul Madsen, Paul Madsen, senior technical architect in the CTO’s office at Ping Identity. “Before you tear the wearable from your wrist, or start randomly shaking your arm to add noise to the data, perhaps we should think about the attack from two angles 1) the scale of the hack and 2) the difficulty of the hack,” he stated in a blog post.
First, sensor data would have to be extracted from the devices. While this is possible through malware it would be difficult to do at a large scale. It’s more likely that a hacker would target an individual so that the wearable could be compromised and that they would have access to the victims’ phone or tablet.
But even this seems like overkill when there are easier ways. “If the attacker has physical access to the phone, there are easier ways to extract the PIN, like shoulder surfing or looking at the smudge pattern from oily fingerprints, than also installing malware on a different wearable,” Madsen stated.
Then there is the question of what they can do once the device is accessed. “And unlocking the phone with the stolen PIN will give the hacker access to sensitive information on that phone, but is unlikely to enable access to sensitive applications accessed from that phone,” Madsen states. “This because any sensitive application — not Facebook — likely mandates a short session time so when launched there will be an authentication prompt – one the hacker with the PIN will fail.”
It’s unlikely that this hack gain wide scale appeal. “While this is an interesting attack — and oh so trendy given the IoT aspect — it’s not one that is likely to pique the interest of Russian hackers, at least those I know. It’s still much easier to go after the passwords on a server than PIN’s on a device,” Madsen adds.
Read Madsen’s full blog post on the attack here.