SoylentNews is people
SoylentNews
A new research report reveals that popular wearable devices may leak information as you use them. Researchers discovered that the motions of your hands as you use PIN pads, which is continually and automatically recorded by your device, can be hacked in real time and used to guess your PIN with more than 90 percent accuracy within a few attempts.
Wearable devices -- Fitbits, Jawbones, Nike+, Apple Watches and the like -- are white-hot. The tech segment is already producing an estimated $14 billion in sales worldwide, and expected to more than double within four years, climbing to north of $30 billion.
But a new Stevens Institute of Technology research report reveals those cool wearables just may leak information as you use them. Stevens researchers discovered that the motions of your hands as you use PIN pads, which is continually and automatically recorded by your device, can be hacked in real time and used to guess your PIN with more than 90 percent accuracy within a few attempts. Electrical and computer engineering professor Yingying Chen and three of her graduate students carried out the tests in Stevens labs, assisted by Stevens alumnus Yan Wang Ph.D. '15, now a professor at Binghamton University.
"This was surprising, even to those of us already working in this area," says Chen, a multiple-time National Science Foundation (NSF) awardee. "It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques. "The Stevens team outfitted 20 volunteers with an array of fitness wristbands and smart watches, then asked them to make some 5,000 sample PIN entries on keypads or laptop keyboards while "sniffing" the packets of Bluetooth low energy (BLE) data transmitted by sensors in those devices to paired smartphones.
"There are two kinds of potential attacks here: sniffing attacks and internal attacks," explains Chen. "An adversary can place a wireless 'sniffer' close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data."
[...]
"Further research is needed, and we are also working on countermeasures," concludes Chen, adding that wearables are not easily hackable -- but they are hackable.
I know what I'm buying for Christmas this year - for all my coworkers!
(Score: 3, Insightful) by archfeld on Wednesday July 13 2016, @02:45AM
Since I don't wear one I bet the answer is a NO. But the simple solution would be to just type in your pin with the hand that doesn't have the biometric device on it. If you do wear one, do you also wear a watch, and which hand do people wear watches on, their dominate hand ? I gave up wearing a watch a few years ago, there are so many clocks, my cell phone, and every other electronic device, and I could never sync them up so the only time I wear a watch is when I dress up for going out and the GF points out I am wearing neither the ring or watch she gave me. I do wear a necklace but it has a DNR notice on it and my organ donor status.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 0) by Anonymous Coward on Wednesday July 13 2016, @03:07AM
You have a girlfriend but you type with just one hand...that's odd.
(Score: 2) by archfeld on Wednesday July 13 2016, @05:09AM
Actually I dictate, and rarely type at all anymore. It's better to use two hands. I don't see where the 2 become mutually exclusive, but from your perspective of never having both I can see the mistake. Did you lock the door ? Wouldn't want your mom coming down into the basement at an inopportune time now would you.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Interesting) by bob_super on Wednesday July 13 2016, @04:41PM
I guess you're correct, and the answer to the accelerometers spying on us is to dictate pins...
(Score: 3, Insightful) by Absolutely.Geek on Wednesday July 13 2016, @03:58AM
I generally type my pin with my right hand...so not a big deal. Then there is paypass etc...so the number of times I type my pin into a terminal is reducing all the time.
Don't trust the police or the government - Shihad: My mind's sedate.
(Score: 4, Insightful) by wonkey_monkey on Wednesday July 13 2016, @07:29AM
No, and fuck condescending clickbait-style headlines. I am capable of being interested in things without trying to make them personally relevant.
systemd is Roko's Basilisk
(Score: 2) by jcross on Wednesday July 13 2016, @02:53PM
Simple, just change your pin to all the same digit, like 8888. It's just as random as an ordinary pin number, but their chance of guessing it from accelerometer data is now only 1 in 10, since there are no lateral motions between the buttons. I'm joking of course, but the key weakness in the attack is that it will likely not have an absolute fix on the pin pad. Certain pins will be less ambiguous in this respect than others, especially ones that use digits from opposite edges of the pad.
Although I guess the interface buttons on any specific ATM type could give them a absolute fix on the pin pad. Damn, well that kills my dream of wearing a smartwatch one day ;).
(Score: 0) by Anonymous Coward on Wednesday July 13 2016, @04:43PM
I am right hand dominant, and wear mine on my left wrist.
When entering password or whatever on my phone my left hand holds the phone and my right hand keys the pin/pass. There is no chance of them getting anything from that.
With an ATM I use my right hand unless I am at a drive through one, and in that case just rest your palm on the machine and push the pins with your finger. No way it can track finger movement, only wrist movement. Problem solved.
(Score: 2) by Zz9zZ on Wednesday July 13 2016, @07:11PM
They tested a lot of combinations and had a high success rate. You at least narrow the range of possibilities from thousands to probably a handful at the least.
~Tilting at windmills~