New ways your smartwatch (and phone) may be spying on you

January 6, 2016 by David Glance, University Of Western Australia, The Conversation
Your smartwatch may be watching. Credit: Pixabay

A computer science Masters student Tony Beltramelli at the IT University of Copenhagen has demonstrated that software running on a smartwatch could be used to record a user's passwords and PINs. He managed this by using the smartwatch's motion sensors and analysing the patterns of data from the sensors when tapping a keypad to enter a PIN.

Although it is assumed by Beltramelli and others that the application doing the spying would be installed without the user knowing, it is quite possible that a seemingly legitimate app installed from the could be doing the spying. This is because access to the sensors is not seen as a security, or privacy risk. Data from the motion sensors is used for controlling aspects of the user interface and so it would be unreasonable to ask a user's permission to access that data.

How does it work?

Smartwatches like the Apple Watch have two sensors that measure motion; a gyroscope and an accelerometer. Gyroscopes measure the speed and angle of rotation of the watch along three different axes i.e. how fast the device is spinning in any of three directions. Accelerometers measure the acceleration of the device along the same axes. Using these sensors together, apps on the watch can detect specific movement, like for example, lifting the watch to look at the face, which on most smartwatches will cause the watch screen to switch on.

The video will load shortly

Apple themselves use the data from these sensors to detect when wearers are sitting, standing or moving but stop short of providing any more detail than that.

Beltramelli took data from both sensors on a smartwatch and then applied a type of machine learning to teach his software to detect when specific buttons on a numeric pad were being pressed. This required the software to be "trained" during the learning process, to recognise specific movements of the wearer. However, even without the training, the software was reasonably accurate at identifying the buttons being pressed.

Other approaches

This is not the first time that someone has used motion sensors in a mobile device to carry out keylogging. Other researchers have done similar things on smartwatches and mobile phones.

The video will load shortly

In the case of mobile phones, the sensors can be used to pick up vibrations from a keyboard when the phone is placed on the same surface nearby. Motion sensors can also be used to capture what a user taps onto a screen.

How plausible is this attack?

There are a number of limitations that make this type of approach using a smartwatch impractical as an attack against specific targets. For a start, it only works if the person is using the arm that the watch is on. This may not happen that often as people will tend to use their dominant hand to enter PIN numbers and will wear their watch on their non-dominant wrist.

The other problem is that it is one thing to recognise slow deliberate movements as used by Beltramelli in his research. It is another when trying to decipher the more noisy, but probably more common ways in which people enter their PIN on a keypad. There is also the more obvious problem that a PIN is not terribly useful without the information relating to what it is being used for. In the case of a bank card, the PIN is also unusable without the actual physical card.

What is more concerning however is the sophistication by which software and sensors associated with watches and mobile phones can infer what their wearers are doing at any point in time. Motion sensor data, coupled with data from other sensors that measure heart rate could be used to detect a range of very specific activities with the user being unaware.

As a matter of privacy, the amount of information that could be inferred by almost any app developer is potentially enormous. This could range from detecting when someone is working and conversely, not working, to wearers sleeping, or even engaging in more "intimate activities".

In the meantime however, a Taiwanese company PVD+ has created a more entertaining use for on the Apple Watch. PVD+'s software allows an Apple Watch wearer to control the flight of a drone using gestures that are similar to how the Jedi uses the Force to move objects in Star Wars.

Explore further: Watch out: If you've got a smart watch, hackers could get your data

Related Stories

Dark tattoos daunt Apple Watch

April 30, 2015

Apple aficionados who are also fans of body art are finding out that dark tattoos can daunt the iconic company's hot new smartwatch.

Recommended for you

Samsung to disable Note 7 phones in recall effort

December 9, 2016

Samsung announced Friday it would disable its Galaxy Note 7 smartphones in the US market to force remaining owners to stop using the devices, which were recalled for safety reasons.

Swiss unveil stratospheric solar plane

December 7, 2016

Just months after two Swiss pilots completed a historic round-the-world trip in a Sun-powered plane, another Swiss adventurer on Wednesday unveiled a solar plane aimed at reaching the stratosphere.

Solar panels repay their energy 'debt': study

December 6, 2016

The climate-friendly electricity generated by solar panels in the past 40 years has all but cancelled out the polluting energy used to produce them, a study said Tuesday.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.