Clickability tracking pixel

Can Smartwatch Sensors Make Hacking Easier?

Smart devices depend on motion sensors in the same way living things depend on their sense of balance and sense of hearing, potentially making it easier for hackers to spy in dramatically microscopic ways.

by Roy Wenzl, The Wichita Eagle / July 13, 2015

(TNS) -- Elisa Acosta got her new Apple smartwatch from her mom and dad as a graduation gift.

She works as an aerospace engineer for Spirit AeroSystems in Wichita and serves as a volunteer coach for the rowing team at Wichita State University, where she graduated in May.

Her smartwatch helps multitask her busy life. She can talk to it while working or driving or rowing along the Little Arkansas River. It takes near-perfect voice dictation for texts. It takes her calls, tells her where to turn her car to drive up a street to keep an appointment.

She wears it on her left wrist. And that’s where technologists says hackers could come after her someday.

The watches can now watch us.

A ‘little bit scary’

Murtuza Jadliwala researches ethics, trust, privacy, security and computer technology at WSU’s College of Engineering.

He just completed a semester of testing involving a dozen students at WSU wearing smartwatches.

He found that the sensors in smartwatches could be used by hackers to steal information about bank accounts and passcodes.

“We think that in using very simple tricks, some hackers can be able to infer what numbers some smartwatch users are typing on their numeric keypads, including PIN codes and other numbers,” he said.

“It’s a little bit scary.”

He will present his findings at the 19th International Symposium on Wearable Computers in September in Osaka, Japan. Only about 20 percent of the papers submitted are selected for presentation, he said.

Smart sensors

The tiny screen light on Acosta’s smartwatch goes dim to save battery power when she’s not using it. It lights up when she moves her wrist. Using tiny, hypersensitive motion sensors called accelerometers, it senses her every move.

Smartphones have them too. Hold a smartphone vertically, and the text or photo will turn right side up. Turn the phone to the horizontal position and the text or photo again turns right side up. The accelerometer sensed the movement and made adjustments.

All smart devices have sensors, Jadliwala said – everything from GPS location sensors to light sensors to audio, and more.

To protect their privacy and money, people need to understand what those different sensors are, Jadliwala said.

For example, if you don’t set up your Facebook settings correctly, the GPS sensor might tell strangers the exact location of your home, embedded in that cute photo you took of your children in your kitchen.

But most social media platforms ask your permission to access your location, he said.

One problem with motion sensors, as opposed to location sensors, is that there are not the same safeguards. Permission isn’t asked, Jadliwala said.

So if the smartwatch gets hacked, hackers could spy on the smartwatch wearer, in dramatically microscopic ways.

“Wearable devices, such as smartwatch, are equipped with a number of sensors, which can capture a variety of contextual information and enable diverse applications,” said Anindya Maiti, a WSU student who helped Jadliwala with his research project. “However, these sensors can also become a threat to user privacy.”

An eavesdropping device

Smart devices depend on motion sensors in the same way living things depend on their sense of balance and sense of hearing. Are we up now, or down, or sideways? Are we moving, and in what way? What’s that sound or motion I just sensed, and do I recognize it?

Acosta, a university-trained athlete interested in health, uses the motion sensors in her smartwatch to stay healthy. “It buzzes and tells me when I’ve sat still too long, and that it’s time to get up and move.” The watch can count how many steps she’s walked during a day. There’s an app for that.

But here’s where things could get “a little scary,” as Jadliwala said.

Let’s say the health app she downloaded was created by hackers and it loops itself into the smartwatch motion sensors.

Now let’s say she gets up to move around for good health, like her app told her to.

She takes exactly 24 steps down the hallway. The app counts 24 steps exactly.

But then she pulls out her smartphone, using her left hand, where she wears her smartwatch. And she multitasks. She walks for health while checking her bank account online.

Using her left thumb, she taps on the numeric keypad. Her wrist makes a microscopic motion to move her thumb. She gains access to her private bank account, tapping in her PIN number and access password with her thumb. The smartwatch motion sensor can sense the exact, unique motion that her left wrist makes when her left thumb types the 6 key. Then it senses the different miniscule motion her wrist makes to move her thumb to tap the 4 key. And so on.

The hacker is using that app to secretly and wirelessly monitor the keystrokes.

And she just told him her PIN number.

“As a result, the infected smartwatch can act as an eavesdropping device that the targets themselves may place on their wrist, and unsuspectingly have it on their wrist while typing on a smartphone,” Jadliwala wrote in the paper he will present at the international conference.

“When the victim types on a hand-held phone, the uniqueness in the wrist motion caused in the process of typing can be captured and used by the attacker to infer the keys typed by the victim,” Maiti said.

Jadliwala replicated this hack in the study he did during the first half of this year at WSU. The app he embedded in the smartwatches of a dozen students was picking up PIN numbers and other private information the students typed on keypads near the smartwatches they were wearing.

Tapping scenarios

Jadliwala tested his concerns about smartwatches in the most commonly used ways he and his co-researchers could think of. In an e-mail, he described several “tapping” scenarios:

  • Watch worn on the left hand with the left hand holding the phone, and typing with the right hand. This is the most normal scenario.
  • Watch worn on the right (or left) hand with the right (or left) hand holding the phone, and typing with a finger (normally the thumb) of the right (or left) hand. This is another commonly observed typing scenario.
  • Watch worn on the left hand with the phone held in the right hand and typing with the left hand.

“Our (hacker) attack works in all the above scenarios,” he wrote.

The one way they found where the hacking would fail: wear the watch on one wrist, and use the opposite hand to not only hold the phone but type on the pad.

Smartphones, smarter people

Google would not comment, saying the technology company wanted to review Jadliwala’s finished paper first. But Ravi Pendse, a technologist now working for Brown University in Rhode Island, said Google, Apple and all other major tech companies are aware of how vulnerable accelerometers and other hidden sensors can make us.

“They’ve got a lot of reputation at risk, so they’ve got their smartest people working hard already, to keep us all safe,” he said.

Five years ago, Pendse said, technologists at one of the major companies realized that accelerometers (motion sensors) inside their phone had become so good that a phone placed beside a computer keyboard could sense and define the unique sounds that fingers made on each key.

“Smartphones can be trained just like dogs, in a way,” Pendse said. “So they realized that if they put a 60,000-word dictionary in the phone, the phone’s accelerometer could understand most of the words being typed on the keyboard. And that meant that if the phone was hacked, hackers could know what was being typed.”

There are many other scary stories, Pendse said. A Chinese government project not long ago programmed smartphones to listen to the background noise of train stations along a long train route. The phones soon “knew” which station they had arrived at, just by listening to the background noise from each station. The sounds at each station were unique, though human ears would have to work hard to tell any difference.

By 2018 or so, experts predict, there will be 150 million smart devices in the U.S., carried by more than half the population, Pendse said. We’ll be surrounded by devices that watch and listen and study us at deeper levels of understanding.

Hackers and spies are going to love this technology, Pendse said. They’ll be able to spy and hack more easily, unless headed off by smart human beings.

“So this doesn’t mean you throw away your smartwatch,” Pendse said.

“But it does mean we really need people like Murtuza Jadliwala to keep doing his great work, so we can identify problems and head them off.”

©2015 The Wichita Eagle (Wichita, Kan.) Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs