Wearable devices can give away your passwords, according to new research.

Scientists from the Stevens Institute of Technology and Binghamton University combined data from embedded sensors in wearable technologies, such as smartwatches and fitness trackers, along with a computer algorithm to crack private PINs and passwords with 80% accuracy on the first try and more than 90% accuracy after three tries.

"Wearable devices can be exploited," says Yan Wang, assistant professor of computer science at Binghamton University. "Attackers can reproduce the trajectories of the user’s hand [and] recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers."

Even though wearable devices track health and medical activities, their size and computing power don't allow for robust security measures. Image credit: Pixabay.Even though wearable devices track health and medical activities, their size and computing power don't allow for robust security measures. Image credit: Pixabay.

With extensive experimentation, the team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand’s pose. Those measurements led to distance and direction estimations between consecutive keystrokes, which the team’s "Backward PIN-sequence Inference Algorithm" used to break codes with alarming accuracy without context clues about the keypad.

According to the research team, this is the first technique that reveals personal PINs by exploiting information from wearable devices without the need for contextual information.

The findings are an early step in understanding security vulnerabilities of wearable devices. Even though wearable devices track health and medical activities, their size and computing power don’t allow for robust security measures, which makes the data within more vulnerable to attack.

The team is now working on countermeasures for the problem. An initial approach is to inject a certain type of noise to the data so it cannot be used to derive fine-grained hand movements, while maintaining effectiveness for fitness-tracking purposes such as activity recognition or step counts.

The researchers also note that better encryption between the wearable device and the host operating system is required.

To contact the author of this article, email engineering360editors@globalspec.com