Researchers have shown that a smartwatch’s motion sensors can be used to detect what keys you’re pressing with your left hand (or whatever hand the watch is on) and thus guess at the words you’re typing.
Their findings suggest that it’s possible for cybercrooks to come up with an app that camouflages itself – for example, as a pedometer – and use it to track what someone types.
Once such an app were to be installed on a victim’s device, the crooks could theoretically eavesdrop on users and intercept sensitive information by gathering data from emails, search queries or the like.
The research focused on a Samsung watch, but the researchers say it’s possible that malware authors could write a similar app for any wearable device that uses motion sensors and plant it in app stores – thus potentially making other devices, such as Apple Watch and Fitbit, vulnerable to a similar attack.
Ted Tsung-Te Lai, a postdoctoral researcher on the team, had this to say:
We would just like to advise people who use the watch to enjoy it, but know, ‘Hey, there’s a threat’.
The work, done by Associate Professor Romit Roy Choudhury and a group of students, comes out of the Electrical and Computer Engineering (ECE) Illinois program.
Their project, called Motion Leaks (MoLe), included creating an app for a Samsung Gear Live smartwatch that uses an accelerometer and gyroscope to track the micro-motion of keystrokes as a wearer types on a keyboard.
After their app collects that sensor data, the researchers ran it through a “Keystroke Detection” module that analyzed the timing of each keystroke and the displacement of the watch as the wearer moved his or her wrist to reach for keys that are nearer or further away.
You can see how it works in the researchers’ video.
As the video shows, the attack works by applying Bayesian Inference – a method of statistical inference used in many applications, including engineering – on the number of key presses made by the wearer’s left hand, the location of those presses, and the timing of key presses.
The distance between the character “F” and “T”, for example, may seem negligible, but the researchers showed that the micro-time lapse of reaching that far is enough – when combined with data about key-press spacing on a two-dimensional plane – to differentiate which keys are pressed.
While the research is interesting, it’s hardly cause to toss your pricey wrist bangle in the trash at this point.
As it is, the team’s system can’t detect special characters such as numbers, punctuation, and symbols that might appear in passwords.
Nor does it know how to deal with a spacebar press.
The university’s writeup of the project reports that the researchers can only collect data from the hand wearing the watch and from people who have standard typing patterns. However, the team is working on creating and incorporating methods of detecting less regular typing patterns.
Also, the characters typed by the right hand – or whatever hand isn’t wearing the watch – are hidden from detection by any such snooping app, though the team’s system does interpret longer gaps between presses as likely implying that right-hand/non-device-wearing-hand key presses have been made.
At this stage, if the team’s system detects that a word has been typed that’s longer than 6 characters and contains say, a “W,” on average, it will shortlist 10 words that contain a “W.”
The team’s paper notes that the researchers discovered additional data “leaks” that could further reduce the shortlist of possible intercepted words – vulnerabilities that point the way to future research.
The school’s article on the research quotes Associate Professor Choudhury:
Sensor data from wearable devices will clearly be a double-edged sword. While the device's contact to the human body will offer invaluable insights into human health and context, it will also make way for deeper violation into human privacy.
The core challenge is in characterizing what can or cannot be inferred from sensor data and the MoLe project is one example along this direction.
The project was presented last week at the MobiCon 2015 conference in Paris.