The increasing popularity of smartwatches and wearables has opened up new channels for hackers. Romit Roy Choudhury and his team of researchers from the University of Illinois have managed to exploit data from the motion sensors of a smartwatch to determine what the user has been typing on a keyboard.
Most of the smartwatches these days have built-in accelerometer and gyroscope sensors. While they have extensive uses in activity tracking, health monitoring and gesture control, they are “double edged swords”. The team set out to discover whether the raw data from the sensors can be used to determine what the user may be typing on a keyboard. For the experiment, they developed an app called Motion Leaks (MoLe) on Samsung Gear Live smartwatches. They were then able to process the sensor data to predict the keypresses made by the wearer on a keyboard. This exploit is different from keyloggers because it does not require loopholes in the OS to log the data. The app can easily obtain the user’s permission to the sensor data. The experiment has exposed some serious privacy concerns. “A smartwatch app can be disguised as an activity tracker to heavily leak a user’s emails, search queries, and other keyboard-typed documents,” said the researchers. Although, tested on a Samsung Gear Live, they believe the process can be implemented in Fitbit and other such devices as well.
The app uses the data gathered from the accelerometer and the gyroscope to track the wrist movement as the user types on the keyboard. The collected data is then processed by a “Keystroke Detection” module. It calculates the timing of the keystrokes by analysing the vertical movement of the watch along the Z-axis. It also calculates the net 2D displacement on the XY-plane to predict the key. One way of tackling the vulnerability is by lowering the sample rate of the sensors, which generally hovers around 200Hz, to below 15.
There are few shortcomings with the process, though. Currently, it cannot predict special characters. Additionally, this app can only predict the keystrokes made from the hand wearing the watch. The researchers are working to discover further such sensor “leaks”. In spite of the shortcomings, it has managed to expose a very serious security vulnerability in wearables that needs to addressed quickly.