Smartwatches can become tools for spying on their owners, by collecting silent accelerometer and gyroscope signals that – after analysis – could be turned into datasets unique to theowner. These datasets, if misused, allow the user’s activities to be monitored, including the entering of sensitive information. These are the findings of an IT security product firm’s analysis into the impact that the proliferation of IoT can have on thelives of users and their information security.
In recent years, the cyber security industry has shown that private user data is becoming avaluable commodity, due tocriminal uses – fromdigital profiling of cybercriminals’ victims, to market predictions on user behaviour. But while consumer paranoia over personal information misuse is growing, with many turning their attentions to online platforms and data collection methods, other – less obvious – threat sources remain unprotected, says Kaspersky Lab. For instance, to help maintain a healthy lifestyle, many of us use fitness trackers to monitor exercise and sport activities. But this could have dangerous consequences, the IT firm warns.
Smart wearable devices, including smartwatches and fitness trackers, are commonly used in sporting activities, to monitor our health and receive push notifications etc. To carry out their main functions, most of these devices come with acceleration sensors (accelerometers), often combined with rotation sensors (gyroscopes) for step counting and identifying a user’s position. Kaspersky Lab decided to examine what user information these sensors could provide to unauthorised third parties, and took a closer look at several smartwatches from a number of vendors.
The company developed a smartwatch application that recorded signals from built-in accelerometers and gyroscopes. The recorded data was then saved either into the wearable device’s memory or uploaded to the Bluetooth-paired mobile phone. Using mathematical algorithms available to the smart wearable’s computing power, it was possible to identify behavioural patterns, periods of time when and where users were moving, and how long they were doing it. Most importantly, it was possible to identify sensitive user activities, including entering a passphrase on the computer (with accuracy of up to 96 per cent), entering a PIN code at the ATM (approximately 87 per cent) and unlocking the mobile phone (about 64 per cent).
The signal dataset itself is a behavioural pattern unique to the device owner. Using this, a third party could go further and try to identify a user’s identity – either through an email address that was requested at registration stage in the app or via turned on access to Android account credentials. After that, it is just a matter of time until a victim’s detailed information is identified, including their daily routines and moments when they are entering important data. And given the growing price for users’ private data, we could fast find ourselves in a world where third parties monetise this vector.
But even if this exploit is not capitalised on,but used instead by cybercriminals for their own malicious purposes, the possible consequences are limited only by their imagination and technical knowledge. For instance, they could decrypt the received signals using neural networks, waylay victims, or install skimmers at their favorite ATMs. We have already seem how criminals can achieve 80pc accuracy when trying to decrypt accelerometer signals and identify the password or PIN using only the data collected from smartwatch sensors.
David Mole, Head of Sales UKI at Kaspersky Lab, said: “Smart wearables are not just miniature gadgets, they are cyber-physical systems that can record, store and process physical parameters. Our research shows that even very simple algorithms, being run on the smartwatch itself, are able to capture the unique user’s profile of accelerometer and gyroscope signals. These profiles can then be used to deanonymise the user and track his or her activities, including the moments when entering sensitive information. And this can be done via legitimate smartwatch apps that covertly send signal data to third parties.”
