Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Can Use Smart Watch Movements To Reveal A Wearer's ATM PIN (ieee.org)

Posted by BeauHD on from the left-hand-free dept.

the_newsbeagle writes: By gaining access to the sensors in someone's smart watch, hackers could track the person's hand movements at an ATM and figure out his/her pin. The hacker needn't be anywhere near the ATM; data can be lifted from the smart watch by either a discreet wireless sniffer or by malware on the watch that sends info to a server. This is hardly the first demonstration of the security flaws in smart watches. Last year, a research group showed that a watch's sensors can reveal keystrokes on a computer keyboard. The team of researchers, led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, were able to record movements down to the millimeter and crack private ATM PINs with 80 percent accuracy on the first try. To eliminate the security breach, manufacturers could better secure the data stored in their wearables, and/or add noise so one's physical hand movements cannot be as easily translated. Of course, consumers could simply wear their smart watch on their non-dominant hand.

15 of 105 comments (clear)

  1. Non-dominant hand by Anonymous Coward · · Score: 5, Insightful

    I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?

    1. Re:Non-dominant hand by Anonymous Coward · · Score: 3, Funny

      I'm left handed and wear my watch on my left hand. I don't wear any of these smartwatch tracking devices, though. If someone wants my ATM PIN they're going to have to get it the old fashioned way, sucker me into marrying them.

    2. Re:Non-dominant hand by AK+Marc · · Score: 2

      Yes. In fact, many smart watches recommend it (though I only recall it specifically when reading the directions for a Fitbit Charge HR, I can't speak to any others, but step count is impacted by dominant-hand movements.

      What I can't understand is how they can get keys from a wrist. My wrist is relatively still. I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols. And I touch-type, so I don't move my arms much at all, but my fingers are moving. I'd be amazed if they could sense the movement of the tendons in the wrist. If that's the case, you can measure pulse with them. My pulse makes my wrist move as well. So why are there no apps for that? Makes me think they aren't sensitive enough to have exploits work outside the lab.

      --
      Learn to love Alaska
    3. Re:Non-dominant hand by F.Ultra · · Score: 4, Insightful

      Also they have to somehow hack the watch in the first place, it's not like it publicly distributes out all the sensor readings.

    4. Re:Non-dominant hand by MobileTatsu-NJG · · Score: 2

      I use a wrist rest, and I use my fingers to reach the keys, and moving my wrist is only when using numbers or symbols.

      It's just a big game of deduction. The watch can distinguish between the five elevations your hand has to turn to determine which row you're on just from its tilt. The microphone on it could probably distinguish which finger is striking the key just by volume. Heck, just the mere fact that some of the sound of the keys directly under your hand will be slightly muffled is enough to categorize them.

      To me the bigger issue isn't in working out a process to do this, rather it's the calibration process. Can you get your victim to wear a watch while he or she types something predictable for a while?

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    5. Re:Non-dominant hand by Joce640k · · Score: 2, Funny

      This 'attack' is pointless.

      Any idiot who spends money on smart watches isn't going to have any money in his account anyway.

      --
      No sig today...
    6. Re:Non-dominant hand by sabbede · · Score: 2

      Pretty much, yeah. It's how people avoid pouring coffee all over themselves when asked for the time.

  2. Impractical technique by academics, news at 11 by ShooterNeo · · Score: 4, Insightful

    University professors are under constant pressure to come up with something interesting to show they are a world class expert in their field. And grad students who do most of the grunt work are under pressure to prove themselves as well. So this is yet another impractical technique. No hacker is going to bother with something this hard to make work. Maybe a nation state hacking team might, but probably not.

    Much simpler to install a hidden camera or a direct electrical monitor on the button presses from the keypad itself. Also, look at it this way. On that bitcoin bazaar, Evolution I think it was called, people's pin numbers were about 10 bucks each. Not worth this kind of hassle. This tells me there is far more stolen information readily available than there are crooks to use that information to make fraudulent purchases and cash withdraws with.

    Which makes sense - there are probably still many, many ways to gain access to a database of credit card numbers, or places to set up a skimmer. The actual task of writing the number to a fake credit card and then using it somewhere in person is a far riskier task and one far more likely to result in one's eventual arrest and imprisonment...

  3. The researchers have predicted by tgibson · · Score: 3, Funny

    that I am a carpenter who hammers nails at odd hours.

  4. That's why we wear watches on our left hands. by BitterOak · · Score: 3, Funny

    People don't realize this, but about a hundred years ago when people switched from pocket watches to wrist watches, they were clever enough to realize that future models would feature motion sensors and people would do their banking at electronic cash dispensing machines. Hence the tradition of wearing watches on the left hand.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:That's why we wear watches on our left hands. by mark-t · · Score: 2

      Uh... no.

      The tradition of wearing watches on the left hand arose from the fact that most people are right handed, and so would want to wind a watch with their right hand. Wearing the watch on the left wrist allowed one to wind it without removing it.

      --
      File under 'M' for 'Manic ranting'
    2. Re:That's why we wear watches on our left hands. by Paradise+Pete · · Score: 2

      Why is no one offering a smart watch in a pocket watch form factor?

      They have those, but they call them "phones".

    3. Re: That's why we wear watches on our left hands. by slazzy · · Score: 2

      Sounds like it could be a hipsters dream come true.

      --
      Website Just Down For Me? Find out
  5. Ironically .... by Anonymous Coward · · Score: 3, Funny

    In this case, 1111, 2222, 3333, etc. would be the most secure PINs.

  6. ATM's are unsafe anyway by zmooc · · Score: 4, Interesting

    Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera. Therefore, when I use an ATM machine, I always hold my fingers over a subset of keys to warm them up while waiting for the excruciatingly slow computer in the thing to do its job. That probably sufficiently masks the thermal print left by actually entering my PIN. Furthermore, I have developed a habit of pressing on the keypad frame as if pressing a key on the pad to fool lurkers. That would probably also protect against the smartwatch appraoch. It's rather easy to protect against such attacks, just introduce sufficient noise.

    Note that most ATM machines allow pressing random keys while they're not ready for input. You might also want to press random keys during that time.

    --
    0x or or snor perron?!