Your smartwatch can reveal your PIN code

Smartwatches can measure your heart rate, count your steps and calculate how many calories you burn. But the motion sensors built into the watches can also track your PIN code, according to a Master’s thesis from the IT University of Copenhagen – and this information can potentially be exploited by cybercriminals.

EducationIT securityprivacywearables

Written 14 January, 2016 09:00 by Vibeke Arildsen

Smartwatches are fast becoming popular in the mainstream, but the new smart technology also opens up for new security risks. The watches are equipped with motion sensors that can measure the movements of the wearer very accurately. In fact, the sensors are so precise that they can even track the pattern of your fingers moving across the keypad as you are typing your PIN code.

In his Master’s thesis, Tony Beltramelli demonstrates that this information can be collected and potentially exploited by cybercriminals. His findings have received much interest from international media, including Wired, Huffington Post and Vice.

Deep spying

In his experiments, Tony Beltramelli asked smartwatch-wearing volunteers to enter PIN codes on a keypad similar to an ordinary credit card terminal. Using a machine learning algorithm which collected data from the gyroscope and accelerometer of the device, his program was able to make quite accurate guesses about the entered PINs.

Tony Beltramelli calls this method 'deep spying' and warns that cybercriminals could potentially use the method to steal PINs, passwords and other sensitive information from unsuspecting smartwatch wearers.

“By their very nature of being wearable, these devices provide a new pervasive attack surface threatening users’ privacy, among others,” he writes in the thesis abstract.

Wear it on the opposite arm

The aim of Tony Beltramelli's thesis is thus to draw attention to the security risks associated with increasingly popular wearables like smartwatches and fitness bracelets.

"People should not be afraid to use smartwatches, but in general it's a good idea to become conscious of the safety risks attached to the technologies we use. No technology is 100% secure and companies are selling them knowing that hackers will eventually find exploits. The risk lies mostly in the fact that mainstream users are unaware of the potential threat,” he says.

Tony Beltramelli’s advice to smartwatch fans who want to protect themselves against hackers? Don't wear the watch on the arm you use to enter PINs.

The video where Tony Beltramelli demonstrates his method already has more than 32,000 views on YouTube. Watch it here:

www.youtube.com/embed/ZBwSfvnoq5U

Read an abstract of the thesis or download the whole thesis here.