Could your smartwatch or fitness tracker give hackers a way to see what you type into your computer keyboard, home security system, or ATM? That’s the ominous idea behind a new paper by Tony Beltramelli, a masters student at the IT University of Copenhagen.
The concept, which Beltramelli calls “deep-spying,” is that malicious parties with access to the gyroscope and accelerometers in a piece of wearable tech could look at the tiny motions your wrist makes as you type, process the data, and emerge with a reasonable guess as to what you wrote—almost as though they were reading your mind.
“A smartwatch is indeed potentially worn for an extended period such as the whole day, offering a pervasive attack surface to cyber-criminals,” wrote Beltramelli. “The implications are therefore significant: exploiting motion sensors for keystrokes inference can happen continuously.”
Beltramelli wrote code that collects motion information from a Sony SmartWatch 3, performs a sophisticated analysis and then guesses what the wearer typed. A short video demo shows the system guessing which numbers a wearer is punching into a 9-digit keypad in almost real-time.
“Dramatically, these observations imply that a cyber-criminal would be able, in theory, to eavesdropped on any device operated by the user while wearing a [wearable]," he wrote.
One practical takeaway, according to Beltramelli? Strap your wearable to your less preferred arm.
Earlier this year, researchers at the University of Illinois at Urbana-Champaign collected information from Samsung Gear Live smartwatches to make alarmingly accurate guesses about what volunteers wearing them had typed.
“While a user is typing at a keyboard, his wrist motion—even if it is ‘micro-motion’—can be used to infer what a user is typing,” said He Wang, a Ph.D. candidate who worked on the Ubana-Champaign research.