Beware: if you wear a smart watch, hackers could get your data
11 September 2015
They may be all the rage, but like all computer devices, smart watches are vulnerable to hackers, say University of Illinois researchers.
Using a homegrown app on a Samsung Gear Live smart watch, the University of Illinois at Urbana-Champaign researchers were able to guess what a user was typing through data 'leaks' produced by the motion sensors on smart watches. The project - Motion Leaks through Smartwatch Sensors (MoLe) - has privacy implications, as an app posing as a pedometer, for example, could gather data from emails, search queries and other confidential documents.
"Sensor data from wearable devices will clearly be a double-edged sword," says Romit Roy Choudhury, associate professor of electrical and computer engineering at Illinois. "While the device's contact to the human body will offer invaluable insights into human health and context, it will also make way for deeper violation into human privacy. The core challenge is in characterising what can or cannot be inferred from sensor data and the MoLe project is one example along this direction."
The app uses an accelerometer and gyroscope to track the micro-motion of keystrokes as a wearer types on a keyboard. After collecting the sensor data, researchers ran it through a 'Keystroke Detection' module, which analysed the timing of each keystroke and the net 2D displacement of the watch. For example, the left wrist moves farther to type a 'T' than an 'F'.
While Illinois researchers developed MoLe, to test their theory, it is conceivable that hackers could build a similar app and deploy it to iTunes and other libraries.
A possible solution to these motion leaks would be to lower the sample rate of the sensors in the watch. For instance, the sample rate is normally around 200Hz, meaning the system logs 200 accelerometer and gyroscope readings per second. However, if that number is lowered to below 15, the users' wrist movements become extremely difficult to track.
While their work has yielded revolutionary results so far, there is still a long way to go in polishing the data-collection process. The team's current system can't detect special characters such as numbers, punctuation and symbols that might appear in passwords. The 'space' bar or key also poses an obstacle. In addition, researchers can only collect data from the hand wearing the watch and from people who have standard typing patterns.
While a Samsung watch was used in this project, the researchers believe that any wearable device that uses motion sensors - from the Apple Watch to Fitbit - could be vulnerable as well.