By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is a rootkit and how to remove it
    8 months ago
    The Mask – Unveiling the World’s Most Sophisticated APT Campaign
    8 months ago
    Regin APT Attacks Among the Most Sophisticated Ever Analyzed
    8 months ago
    Latest News
    Safeguards against firmware signed with stolen MSI keys
    2 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
    1 week ago
    Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    For 0-day vulnerabilities in Windows, temporary patches
    8 months ago
    Windows 11 22H2 (build 22621.317) outs in the Release Preview Channel
    8 months ago
    How to avoid problems installing Windows 11 22H2
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    What is two-factor authentication | Kaspersky official blog
    3 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    5 days ago
    NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
    5 days ago
    How Oxy uses hooks for maximum extensibility
    How Oxy uses hooks for maximum extensibility
    6 days ago
    The personal threat landscape: securing yourself smartly
    6 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    Amazing free and open-source program for screenshot or record any area of your screen ShareX.
    8 months ago
    Popular Convert Plus Plugin Vulnerability Exploit
    8 months ago
    Windows 11 to boost game load times with DirectStorage 1.1 GPU decompression
    8 months ago
    Latest News
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    3 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    3 days ago
    How to check USB4 devices specs from Settings on Windows 11
    3 days ago
    How to enable new header UI for File Explorer on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Experiment: How easy is it to spy on a smartwatch wearer?
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

Experiment: How easy is it to spy on a smartwatch wearer?

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
7 Min Read

Can a smartwatch be used to spy on its owner? Sure, and we already know lots of ways. But here’s another: A spying app installed on a smartphone can send data from the built-in motion sensors (namely, accelerometer and gyroscope) to a remote server, and that data can be used to piece together the wearer’s actions — walking, sitting, typing, and so on.

Contents
Experiment: Can smartwatch movements reveal a password?It could be worseWho should worry about smartwatches?

How extensive is the threat in practice, and what data can really be siphoned off? We decided to investigate.

Experiment: Can smartwatch movements reveal a password?

We started with an Android-based smartwatch, wrote a no-frills app to process and transmit accelerometer data, and analyzed what we could get from this data. For more details, see our full report.

The data can indeed be used to work out if the wearer is walking or sitting. Moreover, it’s possible to dig deeper and figure out if the person is out for a stroll or changing subway trains — the accelerometer patterns differ slightly; that’s also how fitness trackers differentiate between, say, walking and cycling.

It’s also easy to see when a person is typing on a computer. But working out what they are typing is way more complex. Everyone has a specific way of typing: the ten-finger method, the one- or two-digit keyboard stab, or something in-between. Basically, different people typing the same phrase can produce very different accelerometer signals — although one person entering a password several times in a row will produce pretty similar graphs.

So, a neural network trained to recognize how a particular individual enters text could make out what that person types. And if this neural network happens to be schooled in your particular way of typing, the accelerometer data from the smartwatch on your wrist could be used to recognize a password based on your hand movements.

However, the training process would require the neural network to track you for quite a long time. The processors in modern portable gadgets are not powerful enough to run a neural network directly, so the data has to be sent to a server.

And therein lies trouble for a would-be spy: The constant upload of accelerometer readings consumes a fair bit of Internet traffic and zaps the smartwatch battery in a matter of hours (six, to be precise, in our case). Both of those telltale signs are easy to spot, alerting the wearer that something is wrong. Both, however, are easily minimized by scooping up data selectively, for example when the target arrives at work, a likely time for password entry.

In short, your smartwatch can be used to identify what you’re typing. But it’s hard, and accurate recovery relies on repeat text entry. In our experiment, we were able to recover a computer password with 96% accuracy and a PIN code entered at an ATM with 87% accuracy.

It could be worse

For cybercriminals, however, such data is not all that useful. To use it, they’d still need access to your computer or credit card. The task of determining a card number or CVC code is way trickier.

Here’s why. On returning to the workplace, first thing the smartwatch owner types is almost certainly a password to unlock their computer. That is, the accelerometer graph indicates first walking, then typing. Based on data obtained just for this brief period, it’s possible to recover the password.

But the person won’t enter a credit card number as soon as they sit down — or get up and walk away immediately after entering that data. What’s more, no one will ever enter this information several times in short succession.

To steal data-entry information from a smartwatch, attackers need predictable activity followed by data entered several times. The latter part, incidentally, is yet another reason not to use the same password for different services.

Who should worry about smartwatches?

Our research has shown that data obtained from a smartwatch acceleration sensor can be used to recover information about the wearer: movements, habits, some typed information (for example, a laptop password).

Infecting a smartwatch with data-siphoning malware that lets cybercriminals recover this information is quite straightforward. They just need to create an app (say, a trendy clockface or fitness tracker), add a function to read accelerometer data, and upload it to Google Play. In theory, such an app will pass the malware screening, since there is nothing outwardly malicious in what it does.

Should you worry about being spied on by someone using this technique? Only if that someone has a strong motivation to spy on you, specifically. The average cybercrook is after easy pickings and won’t have much to gain.

But if your computer password or route to the office is of value to someone, a smartwatch is a viable tracking tool. In this case, our advice is:

  • Take note if your smartwatch is overly traffic-hungry or the battery drains quickly.
  • Don’t give apps too many permissions. In particular, watch out for apps that want to retrieve account info and geographical coordinates. Without this data, intruders will struggle to ascertain that it’s your smartwatch they’ve infected.
  • Install a security solution on your smartphone that can help detect spyware before it starts spying.

Source: kaspersky.com

Translate this article

TAGGED: Google Play, Malware, Security, SQL injection, Threat, Threats, YouTube
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats 2 days ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats 2 days ago
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News 3 days ago
How to enable Taskbar End Task option to close apps on Windows 11
News 3 days ago
How to check USB4 devices specs from Settings on Windows 11
News 3 days ago

Recent Posts

  • Safeguards against firmware signed with stolen MSI keys
  • WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
  • How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
  • How to enable Taskbar End Task option to close apps on Windows 11
  • How to check USB4 devices specs from Settings on Windows 11

You Might Also Like

Threats

Safeguards against firmware signed with stolen MSI keys

2 days ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

2 days ago
News

How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11

3 days ago
How To

What is two-factor authentication | Kaspersky official blog

3 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

What is two-factor authentication | Kaspersky official blog
Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
How Oxy uses hooks for maximum extensibility
The personal threat landscape: securing yourself smartly
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Previous Next
Hot News
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?