Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy Software The Almighty Buck News Technology Hardware

Hackers Can Use Smart Watch Movements To Reveal A Wearer's ATM PIN (ieee.org) 105

the_newsbeagle writes: By gaining access to the sensors in someone's smart watch, hackers could track the person's hand movements at an ATM and figure out his/her pin. The hacker needn't be anywhere near the ATM; data can be lifted from the smart watch by either a discreet wireless sniffer or by malware on the watch that sends info to a server. This is hardly the first demonstration of the security flaws in smart watches. Last year, a research group showed that a watch's sensors can reveal keystrokes on a computer keyboard. The team of researchers, led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, were able to record movements down to the millimeter and crack private ATM PINs with 80 percent accuracy on the first try. To eliminate the security breach, manufacturers could better secure the data stored in their wearables, and/or add noise so one's physical hand movements cannot be as easily translated. Of course, consumers could simply wear their smart watch on their non-dominant hand.
This discussion has been archived. No new comments can be posted.

Hackers Can Use Smart Watch Movements To Reveal A Wearer's ATM PIN

Comments Filter:
  • Non-dominant hand (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 06, 2016 @07:06PM (#52459837)

    I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?

    • Re: (Score:3, Funny)

      by Anonymous Coward

      I'm left handed and wear my watch on my left hand. I don't wear any of these smartwatch tracking devices, though. If someone wants my ATM PIN they're going to have to get it the old fashioned way, sucker me into marrying them.

      • Dominant hand or not , I don't play piano with the ATM keypad . my hand does not move while punching 4 digits.
      • Re: (Score:3, Funny)

        by Joce640k ( 829181 )

        This 'attack' is pointless.

        Any idiot who spends money on smart watches isn't going to have any money in his account anyway.

        • by T.E.D. ( 34228 )

          Any idiot who spends money on smart watches isn't going to have any money in his account anyway.

          Pebbles can be had for $100. The brand new top-of-the-line models are $250. If that drains your account, I think smartwatches aren't your problem.

          • And .... what about all the other pointless gadgets the cheapo-pebble owners have bought?

            How much did that cost?

            And don't tell me they don't have any. If you buy a smart watch you'll buy any old crap.

            • by T.E.D. ( 34228 )

              And don't tell me they don't have any. If you buy a smart watch you'll buy any old crap.

              This kind of mystifies me. You do realize I have those #'s on the top of my head because I own one myself, right? So I'm really curious what kind of weird dystopian inspector gadget world you picture me living in. It probably doesn't much resemble my place, as the vast majority of my functioning electronic equipment was bought back in the 90's before my kids were born. I probably have about the oldest functioning DAK Catalog cheap standup speakers in existence. Wires I made myself from the highest-guage ste

      • by T.E.D. ( 34228 )

        I'm left handed and wear my watch on my left hand.

        As a fellow lefty, I used to do that. After about 10 years of smashed watch crystals, I finally figured out why people don't do that. Its always been on my right for the last three decades.

        I may be slow, but I can learn.

    • by fj3k ( 993224 )

      People tell me I'm weird because I wear mine on my dominant hand. So I doubt this would be a worthwhile attack; I honestly don't know anyone else who is does wear it on their dominant hand (granted, small sample size).

      On a personal note, I'm not worried. I figured out how to type my pin without any visible movement of my hand (the unavoidable movements being covered by my other hand). This was because there were a number of cases of people installing cameras near ATMs to steal PINs. I just checked, and my n

      • by F.Ultra ( 1673484 ) on Wednesday July 06, 2016 @09:25PM (#52460495)
        Also they have to somehow hack the watch in the first place, it's not like it publicly distributes out all the sensor readings.
        • it's not like it publicly distributes out all the sensor readings.

          Pfff. That's what you think.

          • So that is why they didn't hack any wearable watch in any of these studies and instead installed an app on their own watches that could record sensor data. Why would the watch even publicly distribute the sensor readings, even with a massive NSA/Illuminati tinfoil hat measuring millions of miles high there is still no explanation for "their" need for this.
      • People tell me I'm weird because I wear mine on my dominant hand.

        Damn, that is weird. Why on earth would you do that?

        Are you one of those people who wears a watch in bed, too?

        • Why is it weird?

          I do that too. Right hander, I need my watch on my right hand. Doing otherwise feels wrong to me.

    • by skids ( 119237 )

      I wonder if small compensating/ripple movements of the torso are enough the extract keylogging from a cell phone in a pocket, though, given a large enough sample.

    • by AK Marc ( 707885 )
      Yes. In fact, many smart watches recommend it (though I only recall it specifically when reading the directions for a Fitbit Charge HR, I can't speak to any others, but step count is impacted by dominant-hand movements.

      What I can't understand is how they can get keys from a wrist. My wrist is relatively still. I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols. And I touch-type, so I don't move my arms much at all, but my fingers are mov
      • by dbIII ( 701233 )
        This was at an ATM so hand movement would be far greater than at a conventional keyboard. People tend to move their entire hand and poke with their fingers at the vertical keypad than move the way they would when typing on something close to horizontal.
        What you describe would indeed be very hard even with a row of sensors able to distinguish individual tendons. I think sensors on knuckles would be needed as well.

        If that's the case, you can measure pulse with them

        I've seen some that do that but they were m

      • I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols.

        It's just a big game of deduction. The watch can distinguish between the five elevations your hand has to turn to determine which row you're on just from its tilt. The microphone on it could probably distinguish which finger is striking the key just by volume. Heck, just the mere fact that some of the sound of the keys directly under your hand will be slightly muffled is enough to categorize them.

        To me the bigger issue isn't in working out a process to do this, rather it's the calibration process. Can

        • by AK Marc ( 707885 )
          I'm sure that was part of the "hack". Having the person hacked wear the watch while typing a script for hours. Just like in the wild.

          When I was using a known-compromised computer, I typed in my password in a way that the keylogger didn't catch it. "ass" click before the first a "P" click after the last s "word". Sure, someone could have a good start at guessing it, but the keylogger didn't catch it directly.

          I also expect the test script is not a strong password. "I have a dream" or something like tha
    • I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?

      90% of people are right handed. I don't have a statistic for what wrist people wear watches on, but in a sample size of 100 I found that 100 wore their watch on their left hand. Presumably some of these people are left handed, although I have no way of knowing. This means hackers are engaged in hate crimes against left handers.

    • Pretty much, yeah. It's how people avoid pouring coffee all over themselves when asked for the time.
    • by daq man ( 170241 )

      Yep, that was my first thought. I type my PIN with the other hand. So, a non issue for the most part.

      Also, I go to the ATM maybe once a month but type on a computer at work for 8 hours + per day. So, a hacker would not only have to hack my watch but also pinpoint the few seconds that I was at the ATM. Of course they could try to use the same hack to record keystrokes but my typing pattern is so bizarre that I challenge anyone to figure out which keys I am pressing based on which fingers are moving.

    • by TheCarp ( 96830 )

      Certainly not speaking for me....I don't wear a watch on either wrist. I gave up on watches within a year of getting a cell phone.

    • I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?

      I wear mine on my dominant hand but I'm fairly ambidextrous. I actually use my non-dominant hand to do PIN entry as I'm a lefty and most things are positioned for the right handed world. Plus the 10 key is on the right hand of the keyboard, anyway.

    • Also, in some situations, you are forced to use your non-dominant hand. I am right handed, and I wear my watch on my left. At a drive-up ATM, I am all but forced to use my left hand (driver side on the left in my country) to operate the ATM. It would be much more difficult for me to twist in the driver's seat to get my right arm far enough out the window than to just use my non-dominant hand.
  • by ShooterNeo ( 555040 ) on Wednesday July 06, 2016 @07:18PM (#52459885)

    University professors are under constant pressure to come up with something interesting to show they are a world class expert in their field. And grad students who do most of the grunt work are under pressure to prove themselves as well. So this is yet another impractical technique. No hacker is going to bother with something this hard to make work. Maybe a nation state hacking team might, but probably not.

    Much simpler to install a hidden camera or a direct electrical monitor on the button presses from the keypad itself. Also, look at it this way. On that bitcoin bazaar, Evolution I think it was called, people's pin numbers were about 10 bucks each. Not worth this kind of hassle. This tells me there is far more stolen information readily available than there are crooks to use that information to make fraudulent purchases and cash withdraws with.

    Which makes sense - there are probably still many, many ways to gain access to a database of credit card numbers, or places to set up a skimmer. The actual task of writing the number to a fake credit card and then using it somewhere in person is a far riskier task and one far more likely to result in one's eventual arrest and imprisonment...

    • by Anonymous Coward

      Breaking story: Security researchers find new way to rate an individuals porn preferences using nothing but smart watch worn on the dominant (porn) hand.

    • by skids ( 119237 )

      Criminals probably wouldn't, but "hackers" -- or security researchers -- might do it just for the challenge, and criminals might get a hold of that code.

  • Comment removed based on user account deletion
  • by tgibson ( 131396 ) on Wednesday July 06, 2016 @07:25PM (#52459933) Homepage

    that I am a carpenter who hammers nails at odd hours.

  • by BitterOak ( 537666 ) on Wednesday July 06, 2016 @07:25PM (#52459937)
    People don't realize this, but about a hundred years ago when people switched from pocket watches to wrist watches, they were clever enough to realize that future models would feature motion sensors and people would do their banking at electronic cash dispensing machines. Hence the tradition of wearing watches on the left hand.
    • by mark-t ( 151149 )

      Uh... no.

      The tradition of wearing watches on the left hand arose from the fact that most people are right handed, and so would want to wind a watch with their right hand. Wearing the watch on the left wrist allowed one to wind it without removing it.

      • and so would want to wind a watch with their right hand

        I always figured it was to reduce the chance of damage and keep it out of the way, but I don't know that. Winding is/was infrequent, wasn't it?

        • by cdrudge ( 68377 )

          Winding is/was infrequent, wasn't it?

          A hand wound mechanical watch should last at least 24 hours and would typically be wound once a day.

          • And typically before putting it on, I'd think, so the wearing of the watch seems more dictated by the perceived delicateness of the device. Just my speculation, though. I don't know the answer.
      • Neat. It makes sense, but I have to figure that the general busyness of the dominant hand plays a role. Ever see someone holding coffee in their watch bearing hand get asked for the time? Classic slapstick.
        • by mark-t ( 151149 )

          Reminds me of a time in my youth where I was playing poker and one of the other players asked me the time. I casually looked at my watch without thinking about it and told them, and as I went back to playing, I noticed a few smirks at the table. I had been holding my cards in my left hand, and I had absolutely no idea at the time that I had inadvertently just shown my entire hand to everybody.

          I didn't win anything in that hand, of course, and after the hand was over I realized what had occurred. Boy

          • Ouch!

            Pretty dang funny though. I hope it didn't cost you anything more than embarrassment.

            • by mark-t ( 151149 )
              It was years and years ago... and even back then, I never gambled more money than I could actually afford to lose.
    • by ewhac ( 5844 )

      ...about a hundred years ago when people switched from pocket watches to wrist watches, [ ... ]

      That reminds me: Why is no one offering a smart watch in a pocket watch form factor? You'd lose pulse rate measurement, but you'd still get the rest of the fitness tracking movements. You'd also get a larger case -- allowing for larger displays and batteries -- and placing a pocket watch on a charging cradle at night wouldn't seem quite as odd as a wristwatch.

      Using a smart pocket watch would also obviate the

  • Probably of more concern for this (or use!): https://atap.google.com/soli/ [google.com] Don't even need any electronics on the person.
  • by Anonymous Coward on Wednesday July 06, 2016 @08:17PM (#52460155)

    In this case, 1111, 2222, 3333, etc. would be the most secure PINs.

    • by Tomahawk ( 1343 )

      Not really - the watch will still pick up on the repetitive movements and still know what PIN you are entering. It might be better to fake press all of the buttons on the keypad in order 4 times, and only really press one button on each iteration to correspond with the PIN digits. It would be harder for the watch to determine the difference in this case, but still not impossible.

  • I need an update to my smartwatch that lets me wear 2 of them and use a rolled-up, printed piece of paper as a keyboard.

  • We could always just present the numbers on a keypad in a random position for each transaction. That of course would require conscious thought and effort of the person using the keypad which is probably too much to ask the 'average' user. It would also make life more difficult for blind users.

    • by Tomahawk ( 1343 )

      When I was in college (in the early 90s!!!) the keypad to get through the door to the computing labs out-of-hours would scramble like this. It always looked cool and was a good idea, but also a bad idea for the very reason you mentioned - several of the students were blind and then couldn't get through the door. Then ended up turning off the scrambling.

      I was back there a couple of years ago, and the same keypad was still in place (and the same codes still worked - great security!). And it still didn't sc

    • It would also make life more difficult for blind users.

      You could combine the idea with those new touchscreens that can change texture and create bumps at will, moving the braille along with the numbers.

  • Excuse me sir. Can I trouble you to type these numbers into this keypad. There's quite a few combinations and I need you to do each 3 times. Why? Oh just calibrating accelleratometer in your smartwatch so I can identify all future numbers you type.

    I'm going to guess this hack never makes it out of a laboratory.

  • by zmooc ( 33175 ) <zmooc@NosPAm.zmooc.net> on Thursday July 07, 2016 @03:47AM (#52461699) Homepage

    Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera. Therefore, when I use an ATM machine, I always hold my fingers over a subset of keys to warm them up while waiting for the excruciatingly slow computer in the thing to do its job. That probably sufficiently masks the thermal print left by actually entering my PIN. Furthermore, I have developed a habit of pressing on the keypad frame as if pressing a key on the pad to fool lurkers. That would probably also protect against the smartwatch appraoch. It's rather easy to protect against such attacks, just introduce sufficient noise.

    Note that most ATM machines allow pressing random keys while they're not ready for input. You might also want to press random keys during that time.

    • by daq man ( 170241 )

      I was going to accuse you of being paranoid but then again, for all I know, they may still be out to get you...

    • Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera.

      Yeah, I've played Splinter Cell too.

  • I always wear my watch on my non-pin-entering hand; furthermore, I recently got in the habit of simulating non-pin-entering hand mini seizures, just in case this sort of thing ever happened. Take that, stupid hackers!!
  • Put your smart watch on
    Take your smart watch off
    Put your smart watch on
    And shake it all about
    Do the SecOp-sy Dropsy And pass you're secrets around
    And that's what it's all about!!!
  • When I type my wrist doesn't move very much. I mostly move my fingers, and use several of them to type. While I can see how a person using the hunt-and-peck method could be tracked with his watch, I think it'd be much more difficult to track what the rest of us type.

  • I am right-handed and wear my watch on my left wrist, which works well so I can keep writing while look up the time.

    Considering left-handedness is a minority and watches are becoming less common overall by the younger generation, this will affect less and less people as time goes by. I'm usually the "old-timer" in the room that even wears a watch and knows what the term "DOS prompt" even means.

    Also, since smartwatches seem to need a recharge every single night, I don't see why this is much of a concern by

  • As long as your smart watch isn't a Gear S2. I swear this thing think I hit my daily walking goal when all i'm doing is sitting and reading a book. The other day it automatically switched to cycling while I was driving my car... at 72MPH. If I could cycle that fast I wouldn't need a car. If anyone tries to get my pin using my watch all they end up with is some weird data: He's not moving... now he just moved marginally downward... now he's accelerated left at 212 MPH..... now he's stopped.... now he's in
  • (2) alternate hands between typing digits. It's not difficult. Step (1) is probably best.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...