This algorithm steals ATM PINs from wearables

This entry was posted on Monday, July 11th, 2016.

Security researchers at Binghamton University and the Stevens Institute of Technology have successfully combined smartwatch sensor data with an algorithm to crack ATM PINs.

As Megan Scudellari of IEE Spectrum reports, Chen Wang of Binghamton University and Yingying Chen at the Stevens Institute of Technology conducted 5,000 key-entry tests on three different keypads: a detachable ATM pad, a keypad on ATM machine and a QWERTY keyboard.


“Twenty adults performed the tests wearing one of three different devices,” she explained. “The team downloaded sensor data from the tests, which recorded hand movements down to the millimeter. Using an algorithm they called the ‘Backward PIN-sequence Inference Algorithm,’ the team was able to break the codes with alarming accuracy.”

Interestingly, Wang and Chen discovered the most challenging part of the process was eliminating errors that cropped up when attempting to calculate (hand) distance moved based on acceleration. To minimize the margin of error, the research team worked its way backwards; starting with the Enter key and continuing with each preceding key, a process which Scudellari describes as a hacker’s version of connect-the-dots.

“The method does not require an attacker to be anywhere near an ATM or other key-entry pad (such as an electronic door lock or computer keyboard),” she confirmed. “Instead, data can be stolen by either a wireless sniffer placed close to a keypad to capture Bluetooth packets sent by the wearable to a smartphone, or by installing malware on the wearable or smartphone to eavesdrop on the data and send it to the attacker’s server.”

Fortunately, Wang says he is unaware of anyone actually lifting PIN numbers using the above-mentioned method. Nevertheless, the security researcher recommended that manufacturers optimize encryption between the wearable device and host operating system, as well as inject noise so data cannot be exploited to derive fine-grained hand movements.

“Wearable devices can be exploited. Attackers can reproduce the trajectories of the user’s hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers,” Wang explained in a statement quoted by PhysOrg. “The threat is real, although the approach is sophisticated.”

As we’ve previously discussed on Rambus Press, a new paradigm, designed from the ground up to provide secure foundations for wearables and connected IoT devices, is clearly long overdue. To be sure, while a ‘good enough’ approach may have been tolerated for PCs, smartphones and tablets, the industry should be wary of perceiving security as a tertiary concern for the next generation of connected devices and smart sensors.