14 July 2016

** HACKERS CAN STEAL YOUR ATM PIN FROM YOUR SMARTWATCH OR FITNESS TRACKER

by RC Porter 
July 9, 2016

Hackers Can Steal Your ATM Pin From Your SmartWatch Or Fitness Tracker

Swati Khandelwal had an article on the July 7, 2016 online edition of TheHackerNews, with the title above. She begins by noting that “as your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like a smartwatch, or fitness band, the threat to our personal data these devices collect has risen exponentially.” And she warns, “a recent study by Binghampton University also suggests your smartwatch or fitness tracker is not as secure as you think — and it could be used to steal your ATM PIN code.”

“The risk lies in the motion sensors used by these wearable devices,” Ms. Khandelwal notes. “These sensors also collect information about your hand movements, among other data — making it possible for “attackers to reproduce the trajectories,” of your hand and “recover secret key entries.”

In the paper titled, “Friend Or Foe?: Your Wearable Devices Reveal Your Personal Pin,” computer scientists from The Stevens Institute Of Technology and Binghampton University, “used a computer algorithm that can guess your password and PIN with about 80 percent success rate on the first attempt, and over 90 percent of the time — with three tries.”

Retrieving Passwords And Pins Using This Method

“The researchers said their “Backward PIN-Sequence Interference” algorithm can be used to capture anything a person types on a keyboard — from automatic teller machine, or ATM keypads, to mobile keypads — through infected smartwatches, even if the person makes slight hand movements while entering PINs.” Ms. Khandelwal warns. “The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes, and magnetometers, inside wearable technologies — regardless of a hand’s pose,” reports Phys.org. 

The researchers did not name specific companies in the wearable technology space who’s products could be vulnerable; but, the researchers warned that ‘attackers [hackers] can record information about your hand movements…..either directly by infecting your wearable device with malware; or, remotely — by intercepting the Bluetooth connection that links your wearable device to your [mobile] phone.”

The Bottom Line: 

Ms. Khandelwal ends by noting that “the [research] team doesn’t have any robust solution to prevent this [kind of] attack [hack]; but, recommends manufacturers and developers to confuse hackers by inserting “a certain type of noise data,” that would allow the device to still be used for fitness tracking — but, not for guessing keystrokes. Another way is to take a low-tech approach — Always enter your passwords, or PINs with the hand that is not having a wearable device with the highly sophisticated motion tracker.”

Some Parting Observations/Thoughts: The Internet Of Things, Is The Internet Of Threats

I wrote back in January that one of the emerging cyber threats for 2016 would be hackers targeting fitness devices to get to someone’s personal data. Since these devices are more often than not, linked to one’s cellphone, and the cellphone is connected to one’s laptop, etc., — you get the picture. Cyber thieves targeting these devices figure if you are exercising at a fitness center, you probably have disposable income — and thus, are a potential, untapped, lucrative target. Yes, fitness evices are very small, they have a limited attack surface, the malware must be equally small, and a hacker must be close by to pull off a successful cyber heist. But, fitness ddevices are likely to be increasingly targeted as a way to either gain access to ATM PIN numbers, and/or, to establish an initial beachhead — and, ultimately use this breach as a means to compromise the corporate network where the victim works.

The fitness tracker industry will need to improve the security of these devices going forward; but, until they do, hackers see these devices as a potential lucrative space to conduct their malicious activities.

And of course, these same techniques sould/should employed be employed by the Intelligence Community, hostile intelligence services, and law enforcement as a means to get the intelligence they need.

No comments: