• by Chase Martin , July 10, 2016

Where the hand with a wearable device on the wrist goes may provide detailed indicators of which keys are typed over a keypad and in what order.

That’s the latest finding in a detailed report by university researchers.

Because the accuracy of data from wearables is so high, that same information may be used to determine when the hand (or finger) pressed down on a key, and the sequence of strokes.

"Wearable devices can be exploited," said Yan Wang, co-author of the study.

The study was conducted by researchers from the Stevens Institute of Technology and Binghamton University. The researchers ran 5,000 tests on key-based security systems with 20 adults using different wearables and a computer algorithm to collect and analyze the data.

"Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers,” Wang said.

Passwords and PINs were successfully derived from data from wearables at a rate of 80% on the initial attempt and 90% by the third attempt.

The hand position and movement data was intercepted from the various sensors in fitness trackers and smartwatches, providing location information accurate to the millimeter level, according to the study. That data was then analyzed to reverse-engineer a complete password or PIN.

Although ATM fraud is nowhere near a new concept, this is the first known successful attempt that uses only data from wearables and no additional contextual information.

Due to the limited computing power of wearables, they don’t inherently have much security in place to stop such attacks. As a result, the study recommends that companies actually add ‘data noise’ to prevent highly-detailed data from being intercepted, yet still maintaining key functionality within the devices.

The researchers say this is a real threat, but have not yet found a full solution.