New ways your smartwatch (and phone) may be spying on you

January 6, 2016 by David Glance, University Of Western Australia, The Conversation
Your smartwatch may be watching. Credit: Pixabay

A computer science Masters student Tony Beltramelli at the IT University of Copenhagen has demonstrated that software running on a smartwatch could be used to record a user's passwords and PINs. He managed this by using the smartwatch's motion sensors and analysing the patterns of data from the sensors when tapping a keypad to enter a PIN.

Although it is assumed by Beltramelli and others that the application doing the spying would be installed without the user knowing, it is quite possible that a seemingly legitimate app installed from the could be doing the spying. This is because access to the sensors is not seen as a security, or privacy risk. Data from the motion sensors is used for controlling aspects of the user interface and so it would be unreasonable to ask a user's permission to access that data.

How does it work?

Smartwatches like the Apple Watch have two sensors that measure motion; a gyroscope and an accelerometer. Gyroscopes measure the speed and angle of rotation of the watch along three different axes i.e. how fast the device is spinning in any of three directions. Accelerometers measure the acceleration of the device along the same axes. Using these sensors together, apps on the watch can detect specific movement, like for example, lifting the watch to look at the face, which on most smartwatches will cause the watch screen to switch on.

Apple themselves use the data from these sensors to detect when wearers are sitting, standing or moving but stop short of providing any more detail than that.

Beltramelli took data from both sensors on a smartwatch and then applied a type of machine learning to teach his software to detect when specific buttons on a numeric pad were being pressed. This required the software to be "trained" during the learning process, to recognise specific movements of the wearer. However, even without the training, the software was reasonably accurate at identifying the buttons being pressed.

Other approaches

This is not the first time that someone has used motion sensors in a mobile device to carry out keylogging. Other researchers have done similar things on smartwatches and mobile phones.

In the case of mobile phones, the sensors can be used to pick up vibrations from a keyboard when the phone is placed on the same surface nearby. Motion sensors can also be used to capture what a user taps onto a screen.

How plausible is this attack?

There are a number of limitations that make this type of approach using a smartwatch impractical as an attack against specific targets. For a start, it only works if the person is using the arm that the watch is on. This may not happen that often as people will tend to use their dominant hand to enter PIN numbers and will wear their watch on their non-dominant wrist.

The other problem is that it is one thing to recognise slow deliberate movements as used by Beltramelli in his research. It is another when trying to decipher the more noisy, but probably more common ways in which people enter their PIN on a keypad. There is also the more obvious problem that a PIN is not terribly useful without the information relating to what it is being used for. In the case of a bank card, the PIN is also unusable without the actual physical card.

What is more concerning however is the sophistication by which software and sensors associated with watches and mobile phones can infer what their wearers are doing at any point in time. Motion sensor data, coupled with data from other sensors that measure heart rate could be used to detect a range of very specific activities with the user being unaware.

As a matter of privacy, the amount of information that could be inferred by almost any app developer is potentially enormous. This could range from detecting when someone is working and conversely, not working, to wearers sleeping, or even engaging in more "intimate activities".

In the meantime however, a Taiwanese company PVD+ has created a more entertaining use for on the Apple Watch. PVD+'s software allows an Apple Watch wearer to control the flight of a drone using gestures that are similar to how the Jedi uses the Force to move objects in Star Wars.

Explore further: Watch out: If you've got a smart watch, hackers could get your data

Related Stories

Dark tattoos daunt Apple Watch

April 30, 2015

Apple aficionados who are also fans of body art are finding out that dark tattoos can daunt the iconic company's hot new smartwatch.

Recommended for you

Robots as tools and partners in rehabilitation

August 17, 2018

In future decades, the need for effective strategies for medical rehabilitation will increase significantly, because patients' rate of survival after diseases with severe functional deficits, such as a stroke, will increase. ...

Security gaps identified in internet protocol IPsec

August 15, 2018

In collaboration with colleagues from Opole University in Poland, researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) have demonstrated that the internet protocol IPsec is vulnerable ...

Researchers find flaw in WhatsApp

August 8, 2018

Researchers at Israeli cybersecurity firm said Wednesday they had found a flaw in WhatsApp that could allow hackers to modify and send fake messages in the popular social messaging app.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.