Cyber-security researchers have shown it is possible to spy on smartwatch users through a disguised app accessing data from the device’s motion sensors.
Called Motion Leaks through Smartwatch Sensors, or MoLe, the experiment conducted by a team from the University of Illinois at Urbana-Champaign pointed to significant vulnerabilities in one of the currently hottest consumer technologies.
Through a dedicated app that could be easily disguised as a pedometer, the researchers were able to guess what the user was typing on the watch based on the response from the motion sensors.
"Sensor data from wearable devices will clearly be a double-edged sword," said Romit Roy Choudhury, associate professor of electrical and computer engineering at the University of Illinois. "While the device's contact to the human body will offer invaluable insights into human health and context, it will also make way for deeper violation into human privacy. The core challenge is in characterising what can or cannot be inferred from sensor data and the MoLe project is one example along this direction."
The eavesdropping app gathers data from accelerometers and gyroscopes within the smartwatch and analyses the micro-motions resulting from typing. The data is subsequently run through a keystroke-detection algorithm, which analyses timing of each keystroke with regards to the motion it produces. For example, the left wrist moves farther to type a "T" than an "F."
The researchers believe hackers could build similar apps and use them to access emails, search queries and private documents.
"There are a lot of good things that smartwatches can bring to our lives, but there could be bad things," said He Wang, a PhD student in electrical and computer engineering at the University of Illinois. "So if you think from that perspective, if there are any 'bad' things we could do, we can help other people protect their privacy, or at least make them realise there's a potential problem."
The researchers said an easy solution to the problem could be lowering the sample rate of the sensors in the watch from the current 200Hz to less than 15Hz. That means the sensor would make fewer than 15 readings per second which would make extracting wrist movements extremely difficult.
Although the experiment was carried out using a Samsung Gear smartwatch, the researchers have warned that devices from other manufacturers, such as Apple Watch or Fitbit, are most likely equally vulnerable.
The researchers are currently trying to fine-tune the app to make it more accurate. Currently, for example, the app cannot distinguish special characters including numbers, punctuation and symbols.