Hackers who gain control of a smartwatch can record hand motion down to the millimeter and steal PIN numbers when they are entered at ATMs with 80 percent accuracy on the first try, and over 90 percent accuracy after three tries, according to researchers at the Stevens Institute of Technology in New Jersey and Binghamton University in New York.
By measuring the acceleration, orientation, and direction of the smartwatch--all easily possible thanks to relevant sensors in most popular models--a team of researchers achieved a high level of success--or more accurately, an alarming level of success--guessing people's ATM PIN codes.
The research was done by having 20 adults wear various smartwatches. Five thousand PIN logins were tested on three types of keypads: a classic ATM machine keypad, a QWERTY keyboard, and a detachable ATM keypad.
Interestingly, the researchers found that the easiest way to capture PIN codes was to work backwards: People normally press an "Enter" key after entering their PIN code, so they looked for when someone pressed the Enter key and worked backwards to examine the motions indicating the immediately preceding keypresses.
In fact, the researchers' findings aren't surprising. Last year, Tony Beltramelli, then a Masters student at the IT University in Copenhagen, Denmark, demonstrated how codes entered on a keypad were put at risk by smartwatches. He pointed out that because the majority of the world's keypads sport identical layouts of similarly-sized keys, it is relatively simple to determine when someone is entering a PIN rather than performing some other motion with his or her hand.
Of course, hackers would have to obtain access to someone's smartwatch in order to capture data. But how much security do smartwatches have? Have you ever seen security software for a smartwatch? How well locked down are smartwatch Bluetooth connections to other devices? And how secure are the devices to which smartwatches are connected?
How to protect yourself?
While the current findings are troubling, one simple way for you to avoid the risk is to enter your PIN code with the hand that is not wearing the smartwatch. In fact, in most cases, that is what people do naturally--most folks who wear watches wear them on their non-dominant hands, and most people enter PIN codes with their dominant hands. Of course, if you don't wear a smartwatch there is no risk to begin with.
Of course, ensuring that you properly secure the smartphone to which your smartwatch is connected would also be of benefit.
Keep in mind, however, that the high-level lesson of the recent disclosure is not about PIN numbers--it is that if you carry an electronic device, it might make information about your movement available to other parties. If you wear a smartwatch, anything you do with your hands may be traceable--it may be possible for hackers to know when you eat, sleep, or make a phone call. Intelligence agencies are certainly well aware of this. On the positive side, I suspect that in the not-so-distant future there will be crimes solved, and criminals apprehended, because smartwatches will give them away.
So, enjoy the conveniences of modern technology--but be aware of the privacy risks.