The bad news is that someone figured out how to hack your smartwatch. The good news is they're University of Illinois Urbana-Champaign researchers, and they're using their hack to make wearables safer.
Romit Roy Choudhury, an engineering researcher at UIUC, and his team created a homegrown app that could guess which words a smartwatch wearer was typing, using data gathered from the motion sensors in the watch. In theory, they said, a hacker could create a fake fitness app and use it to gather information that a user types on a keyboard.
"[The motion sensors] are not only to track your movement but it can also track your typing," said He Wang, a PhD student in electrical and computer engineering who worked on the project, to Chicago Inno. When it comes to accessing the sensor data, "almost all app developers can do that," he added.
The researchers developed an app that uses the accelerometer and gyroscope in smartwatches to track the typing movements of a smartwatch wearer. They then ran the data through a keystroke detection module that analyzed timing and net 2D displacement of the watch, and matched it up to the location of letters on a keyboard. The researchers tested it on a Samsung Gear smartwatch, but any smartwatch with an accelerometer and gyroscope could be at risk.
"Sensor data from wearable devices will clearly be a double-edged sword,” said Choudhury, an engineering professor at UIUC, to CSL at Illinois. “While the device's contact to the human body will offer invaluable insights into human health and context, it will also make way for deeper violation into human privacy."
One possible solution to the issue is to lower the sensor rate. Currently operating systems log about 200 accelerometer and gyroscope readings per second, but if that is lowered to 15 it would be much harder to track movements, the researchers said.
This isn't the first time smartwatch security has been called into question. This summer, HP released a study that found every major smartwatch on the market had serious security issues, from insufficient user authentication, to lack of encryption protocols, to collecting personal identifying information.
Next up the Illinois researchers are aiming to further develop their app in order to see if it is possible to measure keystrokes more in-depth-- currently they can't register punctuation or numbers. Their goal is to anticipate the ways that hackers could glean data, in order to inform the design of security systems in the future. Wang also sees motion detection issues beyond typing, and he hopes to address these issues as wearables grow more ubiquitous.
"[Hackers] can develop some system that tracks your movement, when you open your door, when you eat your dinner," he said. "They can track every movement exactly...That is something we can research in the future."
For now, they just hope to get the word out that people need to be cautious when working with any nascent tech.
“We would just like to advise people who use the watch to enjoy it, but know that ‘Hey, there’s a threat’,” said Ted Tsung-Te Lai, a post-doctorate researcher on the project, to CSL at Illlinois.
