Could your smartwatch or fitness tracker give hackers a way to see what you type into your computer keyboard, home security system, or ATM? That’s the ominous idea behind a new paper by Tony Beltramelli, a masters student at the IT University of Copenhagen.
The concept, which Beltramelli calls “deep-spying,” is that malicious parties with access to the gyroscope and accelerometers in a piece of wearable tech could look at the tiny motions your wrist makes as you type, process the data, and emerge with a reasonable guess as to what you wrote—almost as though they were reading your mind.
Videos by VICE
“A smartwatch is indeed potentially worn for an extended period such as the whole day, offering a pervasive attack surface to cyber-criminals,” wrote Beltramelli. “The implications are therefore significant: exploiting motion sensors for keystrokes inference can happen continuously.”
Beltramelli wrote code that collects motion information from a Sony SmartWatch 3, performs a sophisticated analysis and then guesses what the wearer typed. A short video demo shows the system guessing which numbers a wearer is punching into a 9-digit keypad in almost real-time.
“Dramatically, these observations imply that a cyber-criminal would be able, in theory, to eavesdropped on any device operated by the user while wearing a [wearable],” he wrote.
One practical takeaway, according to Beltramelli? Strap your wearable to your less preferred arm.
Earlier this year, researchers at the University of Illinois at Urbana-Champaign collected information from Samsung Gear Live smartwatches to make alarmingly accurate guesses about what volunteers wearing them had typed.
“While a user is typing at a keyboard, his wrist motion—even if it is ‘micro-motion’—can be used to infer what a user is typing,” said He Wang, a Ph.D. candidate who worked on the Ubana-Champaign research.