Just like Santa Claus, those nifty motion sensors in your smartwatch know when you’re sleeping, know when you’re awake, and probably know whether you’ve been bad or good, too. But, with a little help from advanced neural networks, could they help a cybercriminal steal your ATM login?
They just might.
So says IT University of Copenhagen student Tony Beltramelli, in his recent research paper. If he’s right, smartwatches and other wearables might represent the quintessential “pervasive attack surface”: you could be vulnerable whenever you’re wearing one.
We first told you about this risk back in September, covering earlier work by Professor Romit Roy Choudhury and his Electrical and Computer Engineering students at the University of Illinois.
When you type – whether on a tablet or smartphone keyboard, a hotel safe, building entry system, or ATM – you’re obviously moving. Your patterns of movement could be translated back into what your fingers just typed.
But inferring keystrokes is hard to do. That raw motion-sensor data is really noisy. Some folks move around a lot when they’re typing, others not so much. Some approach the keypad from different heights or angles; some are quicker or slower.
Keystroke rhythms are unique enough that they’ve been used alongside passwords in multifactor authentication. Differing device sizes, screen orientations, and sensor chips can affect accuracy, too.
To overcome these problems, the researchers link motion sensor data with neural networks and machine learning systems. But it’s still hard. Beltramelli’s new work short-circuits much of the complexity, potentially making keystroke inference a lot more realistic.
His secret sauce: advanced deep learning algorithms (specifically, ‘RNN-LSTM’ if you’re curious). These algorithms have been going gangbusters in computer vision and language processing, but not with motion sensor data – until now.
Beltramelli claims his deep learning system can achieve up to 73% accuracy in touchlogging and 59% in keylogging, even with raw unprocessed data. (See an example for yourself, below.)
That’s obviously far from perfect. But it’s impressive enough that a cracker might be able to get the rest of the way using other means.
What’s more, neural networks and smartwatch technology are improving fast, enabling better accuracy. (Consider, for example, the potential of integrating motion with other sensors, such as galvanic skin response.)
And, as Beltramelli points out, the algorithms he’s using are widely available in open source projects. So anyone can move this work forward – and they probably will.
For an attack like this to work, the bad guys need to capture the sensor data, via a malicious app on the wearable, although there’s no evidence this has happened yet.
So what can you do? Buried on page 73 of Beltramelli’s paper is one powerful precaution you can take right now.
If you’re not already doing so, wear your device on the hand you don’t use to enter keypad logins.
Pinocchio
The other precaution with touch-screen pads is to randomly scramble the order of the pad numbers so that the movement varies every time.
However I would beg the designers to include an illustration of an unscrambled pad for those of us who remember a pattern on an unscrambled pad. It helps us turn the pattern back to numbers!
And are 4 numbers sufficient – might most of us be able to remember 6 or 7?
Sammie
Not sure how many people wear the smart watches on the hand they use to enter the PIN. Even if you do, just use the other hand to enter the PIN. If you do have a smart watch on both hands, well just use contactless :)
Mahhn
“those nifty motion sensors in your smartwatch know when you’re” doing personal things, by the motion. Soon MS will be releasing all the data (supposedly anonymously) how many flicks of the wrist it takes to,,, get the ketchup out of the bottle…..
Steve
MS? More likely Google.
Kyle Saia
Google? more like Apple