Experiment: Can smartwatch movements reveal a password?<\/h2>\n
<\/p>\n
We started with an Android-based smartwatch, wrote a no-frills app to process and transmit accelerometer data, and analyzed what we could get from this data. For more details, see our full report<\/a>.<\/p>\n The data can indeed be used to work out if the wearer is walking or sitting. Moreover, it\u2019s possible to dig deeper and figure out if the person is out for a stroll or changing subway trains \u2014 the accelerometer patterns differ slightly; that\u2019s also how fitness trackers differentiate between, say, walking and cycling.<\/p>\n It\u2019s also easy to see when a person is typing on a computer. But working out what<\/em><\/em> they are typing is way more complex. Everyone has a specific way of typing: the ten-finger method, the one- or two-digit keyboard stab, or something in-between. Basically, different people typing the same phrase can produce very different accelerometer signals \u2014 although one person entering a password several times in a row will produce pretty similar graphs.<\/p>\n So, a neural network trained to recognize how a particular individual enters text could make out what that person types. And if this neural network happens to be schooled in your<\/em> particular way of typing, the accelerometer data from the smartwatch on your wrist could be used to recognize a password based on your hand movements.<\/p>\n However, the training process would require the neural network to track you for quite a long time. The processors in modern portable gadgets are not powerful enough to run a neural network directly, so the data has to be sent to a server.<\/p>\n And therein lies trouble for a would-be spy: The constant upload of accelerometer readings consumes a fair bit of Internet traffic and zaps the smartwatch battery in a matter of hours (six, to be precise, in our case). Both of those telltale signs are easy to spot, alerting the wearer that something is wrong. Both, however, are easily minimized by scooping up data selectively, for example when the target arrives at work, a likely time for password entry.<\/p>\n In short, your smartwatch can be used to identify what you\u2019re typing. But it\u2019s hard, and accurate recovery relies on repeat text entry. In our experiment, we were able to recover a computer password with 96% accuracy and a PIN code entered at an ATM with 87% accuracy. <\/strong><\/p>\n <\/p>\n For cybercriminals, however, such data is not all that useful. To use it, they\u2019d still need access to your computer or credit card. The task of determining a card number or CVC code is way trickier.<\/p>\n Here\u2019s why. On returning to the workplace, first thing the smartwatch owner types is almost certainly a password to unlock their computer. That is, the accelerometer graph indicates first walking, then typing. Based on data obtained just for this brief period, it\u2019s possible to recover the password.<\/p>\n But the person won\u2019t enter a credit card number as soon as they sit down \u2014 or get up and walk away immediately after entering that data. What\u2019s more, no one will ever enter this information several times in short succession.<\/p>\n To steal data-entry information from a smartwatch, attackers need predictable activity followed by data entered several times. The latter part, incidentally, is yet another reason not to use the same password for different services.<\/p>\n![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2018\/05\/30174004\/spying-smartwatch-research-app.jpg\")
<\/a><\/p>\nIt could be worse<\/h3>\n