Researchers find smartwatches can leak sensitive information about users’ computer activities.
Smartwatches can tell your heart rate, how many steps you took today, and tracking your sleep cycle.
Soon, they might be able to tell hackers or spies what you're typing on your keyboard, revealing the emails you write, or the passwords you input, according to a group of researchers.
"While a user is typing at a keyboard, his wrist motion—even if it is 'micro-motion'—can be used to infer what a user is typing," He Wang, one of the researchers and a Ph.D. candidate at the University of Illinois at Urbana-Champaign, told Motherboard in an interview.
In other words, a hacker could use a malicious app to record the movement of a person's wrist, thanks the smartwatch's accelerometer and gyroscope, and figure out which keys that person is pushing. Wang, along with colleagues Ted Tsung-Te Lai and Romit Roy Choundhury, explained how this is possible in a recent research paper.
The researchers asked eight volunteers wearing a Samsung Gear Live smartwatch to type 300 different English words, and recorded the movement of their wrists through the wearable's sensors. Then they uploaded the data to an automatic system they devised, which had been fed "training" data created by two of the researchers, who had typed 500 words each.
Based on the data, which is inherently incomplete given that it only tracks one hand, the system, dubbed "MoLe," can reasonably guess what words the volunteers typed, returning a list of 10 most likely words.
The researchers warn that this way, at least in theory, a hacker could turn a smartwatch into an imperfect keylogger, capable of detecting some character and words, making it easier to guess what a victim is typing.
A hacker could turn a smartwatch into an imperfect keylogger, capable of detecting some character and words.
The researchers also admit, however, that the system they have devised is far from perfect. Right now, this is "not yet a real-world attack," as they wrote in the paper. The main flaw in the system is that it is not able to detect the use of the space bar yet, which hinders its ability to automatically distinguish words. The system also struggles to differentiate between adjacent keys, given their proximity. A person, for example, doesn't need to move his or her hand too much to type an "S' after an "A."
Given that the system is based on guessing dictionary words, it's also not good at detecting passwords made of random characters, the researchers note.
Moreover, given that the watch will only be on one wrist (mostly likely the left), the system is considerably better at tracking characters typed on the left side of the keyboard.
Yet, the researchers believe their technique can be perfected, and there's potential to make a better tracking system.
"As long as you can detect the space bar you're very, very close," Wang said. "I think it's not an impossible task, but very doable."
Right now, according to the paper, when the user types a word, one time out of three, MoLe will narrow down its guesses to just five words. In 50 percent of cases, it will narrow it down to 24 possible words. Yet despite all the caveats and imperfections, as the researchers put it in the paper, this is just the beginning.