Nowadays, it seems like every company has a smartwatch. They can do everything from tracking your heart rate to making phone calls and gasp telling time. But did you know that they can also be used to recognize what you are typing?
Ok, that’s new.
Wearable devices like fitness trackers and smartwatches have raised security concerns from their inception. This is primarily due to the data that they collected and transfer to the cloud could end up in the wrong hands or sold to the highest bidder.
Fitness tracker vendors are trying their best to convince users that their data is secure, but at the same time they sell smart bracelets en masse to corporate clients For example, companies can use these wearables to track their employees’ health, which is definitely not the way the private data should be treated. It turns out that this issue probably in not the worst part of the fitness trackers and smartwatches question.
— Kaspersky Lab (@kaspersky) October 30, 2014
When Roman Unuchek at Kaspersky Lab found out that it’s very easy to connect a smartphone to practically any fitness tracker, which is already connected to another device, he concluded his research with a relatively positive note:
“By hacking the bracelet I have, the fraudster cannot get access to all user data as this is not stored on the wristband or in the phone — the official application regularly transfers information from the wristband to the cloud.“
— Kaspersky Lab (@kaspersky) March 26, 2015
Later Tony Beltramelli, a student at IT University of Copenhagen, has shown that the fraudster does not need this data to harm the wearable device’s owner. In his master’s thesis project, he demonstrated that after obtaining access to a smartwatch, one can track it’s owner’s gestures and reverse-engineer them into symbols they type on a numeric keypad.
What the researcher is actually relying on is the fact that every user has their own unique style of typing. Researchers had once suggested that this fact can be used to enhance security: in order to get access to something you need not only to type-in the password, but to do it the certain manner — with the pattern of keystrokes the owner of the device is used to.
In his experiment Beltramelli used an Android Wear-based Sony Smartwatch 3, a hand-made numpad, and a piece of code with some artificial intelligence capabilities. His software was aware of his own unique typing pattern and thus, using the data from the motion sensors built-in to the smartwatch, was able to convert these data into the digits he actually typed, hitting over 60% accuracy.
Ok, someone can use a hacked smartwatch to learn what we type on a numpad. Now what?
Technically… A lot of bad things could happen.
This numpad could have been a PIN-pad on an ATM or in the card reader device in a shop, and now the adversary knows the PIN code of your credit card. Or the numpad could have been your phone’s lock screen — once the malefactor gets his hands on your phone, he can easily get all the information including your contacts, messages, banking account data and so on, because now he knows your PIN-code.
— Kaspersky Lab (@kaspersky) September 16, 2015
Moreover, if someone can make the software to recognize the digits on the numpad, they can probably improve it and make it to distinguish the letters on a common computer keyboard. If that happens, the adversary could be able to track whatever you type, making all of your correspondence insecure. Well, since you have only one smartwatch, only one of your hands can be traced, but half of the letters you typed in could be enough to comprehend what exactly you were typing.
We don’t have any proof that threats like this may be already in the wild, but believe us, you surely wouldn’t like to encounter one of them if or when it turns out that they actually exist – in this case there is only one way to protect yourself. You have to be sure that no malware is installed on your smartwatch.
— Kaspersky Lab (@kaspersky) January 14, 2016
There are two things you can do to increase your wearable’s security.
- Download your apps only from official stores like Apple App Store, Google Play or Amazon Appstore. Apps from these markets are not 100 % failsafe, but at least they get checked by shop representatives and there is some filtration system — not every app can get into these stores.
— Kaspersky Lab (@kaspersky) September 23, 2015
- Use a proper security solution. Since all the apps that get to your watch are first downloaded to your phone, they are automatically checked if you have Kaspersky Internet Security for Android Premium installed.