Your smartwatch can give away your payment card’s PIN code

Smartwatches can be a perfectly useful and handy wearable device for some users, but it’s good to keep in mind that using them might mean opening yourself to an additional line of attack.

As student Tony Beltramelli has demonstrated for his Master’s thesis, it’s possible for an attacker to trick the user into installing a malicious app on his or her smartwatch (in his example Sony SmartWatch 3) that would record gyroscope and accelerometer sensor data, and send it to a server controlled by the attacker.

In his case, he didn’t manage to make the app send the collected data directly to the server, but to a nearby Android device, and from there the data was sent to the server.

That data can be consequently analyzed, and the attacker is able to guess with above-average accuracy (73%) which buttons the user pressed when, for example, entering his or her PIN in a provided 12-keys keypad (e.g. in a keypad on an ATM).

Aside from “touchlogging”, the system is also able to reach a 59% accuracy when it comes to “keylogging.”

“Moreover, the system is still able to infer keystrokes with an accuracy of 19% when trained and evaluated with datasets recorded from different keypads. This result suggests that an attacker could log keys from a wide range of devices even if its classifier is trained with measurements from a different compromised device,” he noted.

“These observations imply that a cyber-criminal would be able, in theory, to eavesdropped on any device operated by the user while wearing a WAD (Wearable Wristband and Armband Device). Thus granting access to sensitive and highly valuable information and possibly causing important damages.”

While this type of keystroke inference attack might be difficult to perform, defending oneself against it might be as simple as putting the smartwatch on your non-dominant hand.

This makes sense for more reasons than one – if you are right-handed, it seems natural that you would put the smartwatch on your left one, so that you could interact with it with your dominant hand.

“Because of the demonstrated risks, the different operations systems powering wearable technologies should require user permissions before any application is allowed to use the accelerometer and the gyroscope. Furthermore, a permission system should restrict or allow access to the motion sensors in specific contexts or for trusted applications only,” he finally advised.

The following video is a demonstration of the attack: