Security researchers recently demonstrated that attackers can can use motion-sensing data to hack into wearable devices like fitness trackers and smartwatches and access a user's device PIN. The premise is that if the wearable is on the same wrist as the hand used to enter the unlock PIN for a mobile device, then analysis of the data from the wearable's sensors can allow hackers to recreate the motion of that arm to figure out the user's PIN.
From the paper 'Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN':
In this work, we show that a wearable device can be exploited to discriminate mm-level distances and directions of the user's fine-grained hand movements, which enable attackers to reproduce the trajectories of the user's hand and further to recover the secret key entries.
Not only can device sensor data detect when you're lying on the couch, it can compromise your security. Scary.
But don't tear the wearable from your wrist just yet. Don't start randomly shaking your arm to add noise to the data. Instead, let's think about the attack from two angles 1) the scale of the hack and 2) the difficulty of the hack.
For the sensor data to be used, it has to be extracted from the wearable. This implies compromising the wearable itself through something like malware, and then sending the sensor data to the hacker. Malware could be distributed to a large numbers of users, allowing sensor data to be collected, and hackers could correlate specific sensor data with a particular user. This seems non-trivial, but necessary if the data is to be used to unlock phones or tablets.
A more likely scenario would be a targeted attack where a particular user is chosen. For this, both the following are true:
The wearable can be compromised (so sensor data can be collected).
The hacker has access to the phone or tablet (so sensor data can be applied).
But if the attacker has physical access to the phone, there are easier ways to extract the PIN, like shoulder surfing or looking at the smudge pattern from oily fingerprints, which is much easier than also installing malware on a different wearable.
And unlocking the phone with the stolen PIN will give the hacker access to sensitive information on that phone, but it's unlikely to enable access to sensitive applications accessed from that phone. This is because any sensitive application (not Facebook) likely mandates a short session time, so that when it's launched, there will be an authentication prompt--one that the hacker with the PIN will fail. However, the unlocked phone could enable the phone as a second factor for an application session from some other device. But the burden of the first password authentication for the hacker remains the same.
Additionally, authentication systems are increasingly more sensitive to the context of a device being used to access applications than the mere possession of an unlocked phone, or even the password. For example, just having the device may be insufficient if it's being used from an anomalous location, or the operations being performed are inconsistent with the valid user's history.
And of course, the hack requires that the mechanism for unlocking the phone also involves some physical movement from the valid user. This movement can be interpreted via wearable sensor data in determining the associated secret (PIN or pattern). The growing capabilities of phones and tablets around biometric authentication mechanisms--either for local unlock or, via the FIDO Alliance frameworks, for server authentication--would completely mitigate the attack. Applying my finger to the TouchID sensor on my iPhone provides no useful movement data that could be used to retroactively determine the template.
Either way, this is an interesting attack. And given the IoT connection, it's definitely oh-so trendy. But it's not one that's likely to pique the interest of Russian hackers (at least those I know). It's still much easier to go after the passwords on a server than PIN's on a device. So again, don't go throwing away those wearables...yet.