Smartwatches sensors could be used to track their users and even identify when they are entering a PIN at an ATM, according to new research.
Kaspersky Lab says that the sensors in a smartwatch can potentially be compromised, and the data they record can be analysed to show unique patterns of behaviour of its wearer.
Typically a smartwatch or fitness tracker includes built-in acceleration sensors (accelerometers), which are often combined with rotation sensors (gyroscopes) for step counting and identifying the user's current position. Researchers from the company created a simple smartwatch application which collected data from Android smart watches to see what could be learnt from patterns in the data.
The researchers showed that it is possible to identify behavioural patterns, periods of time when and where users were moving, and how long they were doing it. Most importantly, it was possible to identify sensitive user activities, including entering a passphrase on the computer (with accuracy of up to 96%), entering a PIN code at the ATM (approximately 87%) and unlocking the mobile phone (approximately 64%).
In the Securelist blog, Sergey Lurye, a security enthusiast and co-author of the research at Kaspersky Lab wrote: "It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject's movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM."
While the analysis to discover the data was quite complex, and some data would require analysis with neural networks to detect useful information, the researchers warned that smart watches and fitness trackers could easily become a new attack surface which exploits less-protected systems. An illicit smartwatch app could be used to harvest user's data, and in combination with other attack methods, such as installing a skimmer at the user's favourite ATM, be used to steal funds or compromise systems.
"Smart wearables are not just miniature gadgets, they are cyber-physical systems that can record, store and process physical parameters. Our research shows that even very simple algorithms, being run on the smartwatch itself, are able to capture the unique user's profile of accelerometer and gyroscope signals. These profiles can then be used to deanonymize the user and track his or her activities, including the moments when entering sensitive information. And this can be done via legitimate smartwatch apps that covertly send signal data to third parties," said Lurye.