Internet connectivity can add a lot of functionality to traditional products. With that connectivity and augmented usability, however, come many digital security risks; risks that you need to be aware of and take personal action against if you don’t want to fall prey to hackers. What we are discussing, of course, is the Internet of Things, and the Smartwatch is the latest IoT product that is making it into the news because of the cyber dangers that they pose to consumers.
A study from Binghamton University in New York has revealed that the smartwatches and fitness bands that people purchase – to more efficiently manage their everyday routines have got security flaws that could transform them into a real nightmare. In particular, those products have been found to be at risk from hackers who could even steal your ATM pin code from them with malware.
If you are the owner of a smartwatch or fitness tracker you may well be thinking to yourself:
‘But I’ve never typed my ATM pin number into my smartwatch; why would I?’
An absolutely reasonable response, but one that sadly won’t stop you from falling victim to a mean-spirited hacker and his high-tech skills.
What the research team from the Stevens Institute of Technology and Binghamton University have discovered is that the motion sensors in smart watches (and other wearable devices) can be hacked in such a way that the hand movements you make can be decoded. The result is that as you type your pin number into the ATM (or as you pay for products with your card in-store), you are in fact divulging your sensitive card details to the evil hacker.
The research paper that the team has published is called ‘Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN.’ It was carried out by making a team of 20 volunteers wear a vast number of different smartwatches and fitness tracking bands as they went about performing a variety of regular tasks. The findings, according to the published paper, are that attackers can ‘reproduce the trajectories’ that your hand makes to ‘recover secret key entries.’ Harsh!
Unbelievably, the computer scientists that worked on the project found that the algorithm which they developed was able to discover a user’s pin correctly 80% of the time after that person had entered their pin just once. Furthermore, that percentage went up to 90% if the Backward PIN-Sequence Inference software had three attempts to go on.
In addition to robbing you of your pin – which although cause for concern still requires the hacker to get access to your bank card – it is worried that a similar algorithm could also be used successfully to figure out what people type into their keyboard while on their PC or tablet. The reason for the paranoia arises from the fact that the software was able to figure out the pin codes from even the smallest hand gestures.
Revealing that – even slight movements – strongly affect the built-in accelerometer, gyroscope and magnetometer of those devices.
The conclusion is that a wearable IoT device infected with malware with a similar algorithm could be used to gather passwords for online accounts; including emails, social media accounts, PayPal and online banking – terrifying.
‘This was surprising, even to those of us already working in this area. It may be easier than we think for criminals to obtain secret information from our wearables by using the right techniques,’ commented the lead researcher Yingying Chen before adding,
‘There are two kinds of potential attacks here: sniffing attacks and internal attacks. An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.’
As of yet, Chen’s team of research graduates has failed to come up with any coherent solutions to the problem other than to avoid wearing the devices. Of course, there is little point buying a smartwatch if you are too terrified to wear it.
To buy or not to buy; the great smartwatch dilemma
As with all connected IoT products, you need to carefully consider the pros and cons about what you are actually gaining by owning that particular device.
If it is actually improving your quality of life – then as long as you bought it from a reputable firm that updates their product with security patches often – you should be okay. For that reason, when purchasing new devices, you are advised to take the time to research them carefully to make sure they are actually recognised as safe.
In addition to that, you should make sure that you have strong and varied passwords for all your different accounts, including any passwords for the device itself. Also, make sure you update those passwords every so often. Strong passwords can’t be remembered, so if yours is your pet’s name then you are putting yourself at risk from cyber criminals.
Of course, you could choose to type any sensitive information into any keyboards with the opposite hand to the one wearing the device. A reasonable option.
At the end of the day, your cyber security is your personal responsibility and if you feel strongly about your digital security then it might be best abstaining from gimmicky devices that do more to put you at risk than to actually improve your life. Remember, knowing how many steps you took on your run might seem important, but it is you doing the hard work, not it!