Your Smartwatch's Motion Sensors Can Reveal Everything You Type

Your Smartwatch's Motion Sensors Can Reveal Everything You Type (Including Passwords)

You can now add smartwatches to the list of potential ways your private data could be leaked. Tony Beltramelli, a Master's students at the IT University of Copenhagen, has shown that even your wearable could be used to compromise your privacy by tracking your every keystroke.

That's not to say that out of the box your fancy new Apple Watch will leak your every last secret to hackers. What Beltramelli has been able to demonstrate through his Master's thesis project is that the seemingly random motions tracked by a smartwatch's motion sensors can be analysed and used to extract what the wearer might be typing, or inputting on a numerical keypad.

Security experts have often felt that how a user types, the distinct patterns and motions they use as their fingers fly across a keyboard, could be used to help verify their identity as another layer of security to the password they're entering. So even if someone else had that secret phrase, only the real user would be able to properly enter it.

Beltramelli is demonstrating exactly that with his thesis research, but coming at it from a different and more concerning angle. Instead of verifying a user based on their keystrokes, he's using their distinct typing patterns to blindly determine what exactly they're typing. And given that the majority of the world's keyboards are similarly-sized with the exact same alphanumeric layout (PIN pads as well) it's not terribly difficult for an algorithm to take that seemingly random motion data from a smartwatch and figure out what keys are likely being pressed.

Don't throw away your Android Wear watch just yet, because Beltramelli hasn't demonstrated a reliable way to compromise and capture a wearable's motion tracking data. His research was performed with a smartwatch he had full acccess to. But it's a good reminder to be extremely careful about what apps you're downloading and installing on your phone and wearables, because even seemingly innocuous data could be used against you.

[Cornell University Library via Ubergizmo]