Hackers Can Use Smart Watch Movements To Reveal A Wearer's ATM PIN (ieee.org) 105
the_newsbeagle writes: By gaining access to the sensors in someone's smart watch, hackers could track the person's hand movements at an ATM and figure out his/her pin. The hacker needn't be anywhere near the ATM; data can be lifted from the smart watch by either a discreet wireless sniffer or by malware on the watch that sends info to a server. This is hardly the first demonstration of the security flaws in smart watches. Last year, a research group showed that a watch's sensors can reveal keystrokes on a computer keyboard. The team of researchers, led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, were able to record movements down to the millimeter and crack private ATM PINs with 80 percent accuracy on the first try. To eliminate the security breach, manufacturers could better secure the data stored in their wearables, and/or add noise so one's physical hand movements cannot be as easily translated. Of course, consumers could simply wear their smart watch on their non-dominant hand.
Non-dominant hand (Score:5, Insightful)
I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?
Re: (Score:3, Funny)
I'm left handed and wear my watch on my left hand. I don't wear any of these smartwatch tracking devices, though. If someone wants my ATM PIN they're going to have to get it the old fashioned way, sucker me into marrying them.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It is much more harder to crack than that since you have 10 possibilities:
1111
2222
3333
4444
etc.
Re: (Score:3, Funny)
This 'attack' is pointless.
Any idiot who spends money on smart watches isn't going to have any money in his account anyway.
Re: (Score:2)
Any idiot who spends money on smart watches isn't going to have any money in his account anyway.
Pebbles can be had for $100. The brand new top-of-the-line models are $250. If that drains your account, I think smartwatches aren't your problem.
Re: (Score:2)
And .... what about all the other pointless gadgets the cheapo-pebble owners have bought?
How much did that cost?
And don't tell me they don't have any. If you buy a smart watch you'll buy any old crap.
Re: (Score:2)
And don't tell me they don't have any. If you buy a smart watch you'll buy any old crap.
This kind of mystifies me. You do realize I have those #'s on the top of my head because I own one myself, right? So I'm really curious what kind of weird dystopian inspector gadget world you picture me living in. It probably doesn't much resemble my place, as the vast majority of my functioning electronic equipment was bought back in the 90's before my kids were born. I probably have about the oldest functioning DAK Catalog cheap standup speakers in existence. Wires I made myself from the highest-guage ste
Re: (Score:2)
I'm left handed and wear my watch on my left hand.
As a fellow lefty, I used to do that. After about 10 years of smashed watch crystals, I finally figured out why people don't do that. Its always been on my right for the last three decades.
I may be slow, but I can learn.
Re: (Score:2)
For bathroom hygiene alone, wearing a watch on your dominant hand disgusts me.
Its all OK if you just remember to lick the crystal clean when you are done.
Re: (Score:1)
People tell me I'm weird because I wear mine on my dominant hand. So I doubt this would be a worthwhile attack; I honestly don't know anyone else who is does wear it on their dominant hand (granted, small sample size).
On a personal note, I'm not worried. I figured out how to type my pin without any visible movement of my hand (the unavoidable movements being covered by my other hand). This was because there were a number of cases of people installing cameras near ATMs to steal PINs. I just checked, and my n
Re:Non-dominant hand (Score:5, Insightful)
Re: (Score:2)
it's not like it publicly distributes out all the sensor readings.
Pfff. That's what you think.
Re: (Score:2)
Re: (Score:2)
People tell me I'm weird because I wear mine on my dominant hand.
Damn, that is weird. Why on earth would you do that?
Are you one of those people who wears a watch in bed, too?
Re: (Score:1)
I do that too. Right hander, I need my watch on my right hand. Doing otherwise feels wrong to me.
Re: (Score:2)
That's a good point, if there's a physical keypad it invariably is located on the right side.
Re: (Score:2)
I wonder if small compensating/ripple movements of the torso are enough the extract keylogging from a cell phone in a pocket, though, given a large enough sample.
Re: (Score:3)
What I can't understand is how they can get keys from a wrist. My wrist is relatively still. I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols. And I touch-type, so I don't move my arms much at all, but my fingers are mov
Re: (Score:2)
What you describe would indeed be very hard even with a row of sensors able to distinguish individual tendons. I think sensors on knuckles would be needed as well.
I've seen some that do that but they were m
Re: (Score:2)
"Last year, a research group showed that a watch's sensors can reveal keystrokes on a computer keyboard."
Re: (Score:3)
I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols.
It's just a big game of deduction. The watch can distinguish between the five elevations your hand has to turn to determine which row you're on just from its tilt. The microphone on it could probably distinguish which finger is striking the key just by volume. Heck, just the mere fact that some of the sound of the keys directly under your hand will be slightly muffled is enough to categorize them.
To me the bigger issue isn't in working out a process to do this, rather it's the calibration process. Can
Re: (Score:2)
When I was using a known-compromised computer, I typed in my password in a way that the keylogger didn't catch it. "ass" click before the first a "P" click after the last s "word". Sure, someone could have a good start at guessing it, but the keylogger didn't catch it directly.
I also expect the test script is not a strong password. "I have a dream" or something like tha
Re: (Score:2)
I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?
90% of people are right handed. I don't have a statistic for what wrist people wear watches on, but in a sample size of 100 I found that 100 wore their watch on their left hand. Presumably some of these people are left handed, although I have no way of knowing. This means hackers are engaged in hate crimes against left handers.
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
Yep, that was my first thought. I type my PIN with the other hand. So, a non issue for the most part.
Also, I go to the ATM maybe once a month but type on a computer at work for 8 hours + per day. So, a hacker would not only have to hack my watch but also pinpoint the few seconds that I was at the ATM. Of course they could try to use the same hack to record keystrokes but my typing pattern is so bizarre that I challenge anyone to figure out which keys I am pressing based on which fingers are moving.
Re: (Score:2)
Certainly not speaking for me....I don't wear a watch on either wrist. I gave up on watches within a year of getting a cell phone.
Re: (Score:2)
I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?
I wear mine on my dominant hand but I'm fairly ambidextrous. I actually use my non-dominant hand to do PIN entry as I'm a lefty and most things are positioned for the right handed world. Plus the 10 key is on the right hand of the keyboard, anyway.
Re: (Score:1)
Impractical technique by academics, news at 11 (Score:5, Insightful)
University professors are under constant pressure to come up with something interesting to show they are a world class expert in their field. And grad students who do most of the grunt work are under pressure to prove themselves as well. So this is yet another impractical technique. No hacker is going to bother with something this hard to make work. Maybe a nation state hacking team might, but probably not.
Much simpler to install a hidden camera or a direct electrical monitor on the button presses from the keypad itself. Also, look at it this way. On that bitcoin bazaar, Evolution I think it was called, people's pin numbers were about 10 bucks each. Not worth this kind of hassle. This tells me there is far more stolen information readily available than there are crooks to use that information to make fraudulent purchases and cash withdraws with.
Which makes sense - there are probably still many, many ways to gain access to a database of credit card numbers, or places to set up a skimmer. The actual task of writing the number to a fake credit card and then using it somewhere in person is a far riskier task and one far more likely to result in one's eventual arrest and imprisonment...
Re: news at 11 (Score:1)
Breaking story: Security researchers find new way to rate an individuals porn preferences using nothing but smart watch worn on the dominant (porn) hand.
Re: (Score:2)
Criminals probably wouldn't, but "hackers" -- or security researchers -- might do it just for the challenge, and criminals might get a hold of that code.
Re: (Score:1)
The researchers have predicted (Score:4, Funny)
that I am a carpenter who hammers nails at odd hours.
Re: (Score:2)
Re: (Score:1)
That's why we wear watches on our left hands. (Score:4, Funny)
Re: (Score:3)
Uh... no.
The tradition of wearing watches on the left hand arose from the fact that most people are right handed, and so would want to wind a watch with their right hand. Wearing the watch on the left wrist allowed one to wind it without removing it.
Re: (Score:1)
I always figured it was to reduce the chance of damage and keep it out of the way, but I don't know that. Winding is/was infrequent, wasn't it?
Re: (Score:2)
A hand wound mechanical watch should last at least 24 hours and would typically be wound once a day.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Reminds me of a time in my youth where I was playing poker and one of the other players asked me the time. I casually looked at my watch without thinking about it and told them, and as I went back to playing, I noticed a few smirks at the table. I had been holding my cards in my left hand, and I had absolutely no idea at the time that I had inadvertently just shown my entire hand to everybody.
I didn't win anything in that hand, of course, and after the hand was over I realized what had occurred. Boy
Re: (Score:2)
Pretty dang funny though. I hope it didn't cost you anything more than embarrassment.
Re: (Score:2)
Re: (Score:2)
That reminds me: Why is no one offering a smart watch in a pocket watch form factor? You'd lose pulse rate measurement, but you'd still get the rest of the fitness tracking movements. You'd also get a larger case -- allowing for larger displays and batteries -- and placing a pocket watch on a charging cradle at night wouldn't seem quite as odd as a wristwatch.
Using a smart pocket watch would also obviate the
Re: (Score:2)
They have those, but they call them "phones".
Re: (Score:2)
Re: That's why we wear watches on our left hands. (Score:3)
Re: (Score:2)
Sounds like it could be a hipsters dream come true.
Next up: Steampunk mobile phone.
Re: (Score:2)
Re: (Score:1)
Meet the Runcible [indiegogo.com].
Project Soli (Score:1)
Ironically .... (Score:3, Funny)
In this case, 1111, 2222, 3333, etc. would be the most secure PINs.
Re: (Score:2)
Not really - the watch will still pick up on the repetitive movements and still know what PIN you are entering. It might be better to fake press all of the buttons on the keypad in order 4 times, and only really press one button on each iteration to correspond with the PIN digits. It would be harder for the watch to determine the difference in this case, but still not impossible.
Repeat of a January post! (Score:2)
sheesh
Re: (Score:1)
Re: (Score:2)
Yeah, I thought this sounded familiar.
Awesome! (Score:1)
I need an update to my smartwatch that lets me wear 2 of them and use a rolled-up, printed piece of paper as a keyboard.
Scramble the keypad (Score:2)
We could always just present the numbers on a keypad in a random position for each transaction. That of course would require conscious thought and effort of the person using the keypad which is probably too much to ask the 'average' user. It would also make life more difficult for blind users.
Re: (Score:2)
When I was in college (in the early 90s!!!) the keypad to get through the door to the computing labs out-of-hours would scramble like this. It always looked cool and was a good idea, but also a bad idea for the very reason you mentioned - several of the students were blind and then couldn't get through the door. Then ended up turning off the scrambling.
I was back there a couple of years ago, and the same keypad was still in place (and the same codes still worked - great security!). And it still didn't sc
Re: (Score:2)
It would also make life more difficult for blind users.
You could combine the idea with those new touchscreens that can change texture and create bumps at will, moving the braille along with the numbers.
Hey victim... (Score:2)
Excuse me sir. Can I trouble you to type these numbers into this keypad. There's quite a few combinations and I need you to do each 3 times. Why? Oh just calibrating accelleratometer in your smartwatch so I can identify all future numbers you type.
I'm going to guess this hack never makes it out of a laboratory.
ATM's are unsafe anyway (Score:5, Interesting)
Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera. Therefore, when I use an ATM machine, I always hold my fingers over a subset of keys to warm them up while waiting for the excruciatingly slow computer in the thing to do its job. That probably sufficiently masks the thermal print left by actually entering my PIN. Furthermore, I have developed a habit of pressing on the keypad frame as if pressing a key on the pad to fool lurkers. That would probably also protect against the smartwatch appraoch. It's rather easy to protect against such attacks, just introduce sufficient noise.
Note that most ATM machines allow pressing random keys while they're not ready for input. You might also want to press random keys during that time.
Re: (Score:1)
I was going to accuse you of being paranoid but then again, for all I know, they may still be out to get you...
Re: (Score:2)
Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera.
Yeah, I've played Splinter Cell too.
planned ahead (Score:1)
SecOp-sy Dropsy (Score:2)
Take your smart watch off
Put your smart watch on
And shake it all about
Do the SecOp-sy Dropsy And pass you're secrets around
And that's what it's all about!!!
what if I type with multiple fingers? (Score:2)
When I type my wrist doesn't move very much. I mostly move my fingers, and use several of them to type. While I can see how a person using the hunt-and-peck method could be tracked with his watch, I think it'd be much more difficult to track what the rest of us type.
Not that relavant? (Score:1)
I am right-handed and wear my watch on my left wrist, which works well so I can keep writing while look up the time.
Considering left-handedness is a minority and watches are becoming less common overall by the younger generation, this will affect less and less people as time goes by. I'm usually the "old-timer" in the room that even wears a watch and knows what the term "DOS prompt" even means.
Also, since smartwatches seem to need a recharge every single night, I don't see why this is much of a concern by
Sure they can... (Score:2)
(1) don''t use a smart watch, and (Score:2)