Internet connectivity can add a lot of functionality to traditional products. With that connectivity and augmented usability, however, come digital security risks. You should be aware of the risks and take action against them if you don’t want to fall prey to hackers. What we are discussing, of course, is the Internet of Things (IoT). The smartwatch is the latest IoT product that is in the news because of the cyber dangers that it poses to consumers.
A study at Stevens has revealed that the smartwatches used to manage everyday routines have got serious security flaws. In particular, the products have been found to be at risk from hackers looking to use malware to steal users’ ATM PIN codes.
“But I’ve never typed my PIN number into my smartwatch. Why would I?”
An absolutely reasonable response, but one that sadly won’t stop you from falling victim to a hacker’s high-tech skills.
The research team from the Stevens Institute of Technology discovered that the motion sensors in smartwatches and other wearable devices can be hacked in such a way that your hand movements can be decoded. Thus as you type your PIN into an ATM, you share your sensitive card details with the hacker. The same applies when you pay for products with your card in-store.
The research paper that the team has published is called ‘Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN.’ A team of 20 volunteers wore different smartwatches and fitness tracking bands for the research. They then performed regular tasks. The research found that attackers can ‘reproduce the trajectories’ that your hand makes to ‘recover secret key entries.’
The researchers found that their algorithm was able to discover a user’s PIN correctly 80% of the time. That was after the person entering their PIN just once. The percentage went up to 90% if they used the Backward PIN-Sequence Inference software to three times.
Of course, a hacker with your PIN would still need access to your bank card. However, a similar algorithm could potentially be used successfully to figure out what you are typing into your PC keyboard or tablet. The reason for this concern arises from the fact that the software was able to figure out the PIN codes from even the smallest hand gestures. (Even slight movements strongly affect the built-in accelerometer, gyroscope and magnetometer of such devices.)
Thus a wearable IoT device infected with malware with a similar algorithm could be used to gather passwords for online accounts. This includes emails, social media accounts, PayPal and online banking.
Lead researcher Yingying Chen commented:
“This was surprising, even to those of us already working in this area. It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques.”
“There are two kinds of potential attacks here: sniffing attacks and internal attacks. An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.”
So far, Chen’s team of research graduates has failed to come up with any solutions to the problem other than to avoid wearing the devices. Of course, there is little point buying a smartwatch if you are too terrified to wear it!
To Buy or Not to Buy: the Great Smartwatch Dilemma
As with all connected IoT products, you need to carefully consider the pros and cons about your device. What are you gaining by owning it?
If it is improving your quality of life and you bought it from a reputable firm that regularly updates their products with security patches, you should be okay. When purchasing new devices, take the time to research them carefully to make sure they are recognized as safe.
In addition, make sure that you have strong and varied passwords for all your different accounts. This includes any passwords for the device itself. Make sure you update those passwords every so often. Strong passwords can’t be remembered. If your password is your pet’s name then you are putting yourself at risk from cyber criminals.
As a precaution, you could choose to type sensitive information using the opposite hand to the one wearing the device.
Your cyber security is your personal responsibility. If you feel strongly about your digital security then it might be best abstaining from gimmicky devices that do more to put you at risk than improve your life. Knowing how far you jogged might seem important, but you’ll burn just as many calories without a smartwatch on!