Sensors, such as accelerometers, found in wearable devices can be used to reverse engineer a human hand's movements and trajectories while at an ATM, thus giving away the PIN code, researchers say.
The findings bring into question the fundamental security of smartwatches.
Malware installs on devices might be one way the newly discovered hack could work, the scientists say. The software would wait for a mark to use a secure system, such as a keypad-controlled enterprise server, for example, and then collect data from the gyroscope, magnometer, accelerometer and other sensors. (Devices use those sensors to measure fitness and so on.)
It would then send the harvested data back to the bandit who uses an algorithm to interpret the collected hand trajectories and map them into millimeter-accurate keypad numbers.
In testing, the crack was found to have "80 percent accuracy on the first try and more than 90 percent accuracy after three tries," Binghamton University and the Stevens Institute of Technology say in a press release about the discovery.
The university tested 5,000 systems with 20 adults over 11 months.
A second way the same attack can be implemented is through a Bluetooth connection between the wearable device and the user's smartphone. The criminal merely plucks the "fine-grained hand movement" raw data from the radio communication with a nearby sniffer and then runs the same mathematics.
Encryption isn't good enough in wearable devices where the "device and host operating system" meet.
Fitness fanatics often use a smartphone's larger screen to view the watch-collected exercise data and see how well they're doing-or not. Bluetooth is used for the connection.
"Distance and direction estimations between consecutive keystrokes" are provided through the hand movements in both scenarios. Then the team's "Backward PIN-sequence Inference Algorithm" breaks the codes.
And it does it with "alarming accuracy without context clues about the keypad," the university says. A lack of context is a big deal. The scientists say the malefactor doesn't need to know details about the keyboard to perform the felonious deed.
"The threat is real, although the approach is sophisticated," says Yan Wang, paper co-author and assistant professor of computer science within the Thomas J. Watson School of Engineering and Applied Science at Binghamton.
However, the point is that "wearable devices can be exploited," Wang says in the release.
The problem is principally that security isn't strong enough, the scientists say. Smartwatch "size and computing power doesn't allow for robust security measures, which makes the data within more vulnerable to attack," they say.
Indeed some argue that many internet-connected devices at the consumer level, like home IoT, overall aren't secure. Experts say one reason is because the fast development cycle of the new genres doesn't allow enough time for testing. And low profit margins in consumer products, such as home IoT devices, and conceivably wearable tech means corners may get cut.
Sign up for CIO Asia eNewsletters.