Harnessing smart wearables to spy on owners
Smart watches can be used as tools for spying on their owners, by collecting silent accelerometer and gyroscope signals that after analysis, could be turned into datasets unique to the owner.
If misused, these datasets allow for the monitoring of the wearer's activities, and any sensitive data they enter.
This was revealed by Kaspersky Lab researchers during its analysis of the impact that the proliferation of IOT can have on the lives of users.
According to the company, recent years have shown that private user data has become a valuable commodity, due to its almost limitless criminal uses, ranging from the digital profiling of potential targets, to market predictions on user behaviour.
And as the industry focuses its attention on online platforms and data collection methods, less obvious threat sources remain unprotected, such as fitness trackers used to monitor exercise and sport activities. "But this could have dangerous consequences."
Smart wearable devices and fitness trackers are fitted with built-in acceleration sensors called accelerometers, which are often combined with rotation sensors or gyroscopes for step counting, and identifying the wearer's current position.
In order to scrutinise the information these sensors could provide to unauthorised third parties, the company's researchers developed a simple smart watch application that records signals from built-in accelerometers and gyroscopes. This data was then saved either into the wearable device's memory or uploaded to the Bluetooth-paired mobile phone.
By employing mathematical algorithms available to the smart wearable's computing power, it was possible to identify behavioural patterns, periods of time when and where users were moving, and how long they were doing it. In addition, the company was able to identify sensitive user activities, including entering a passphrase on the computer (with accuracy of up to 96%), entering a PIN code at the ATM (approximately 87%) and unlocking the mobile phone (approximately 64%).
The company says the signal dataset itself is a behavioural pattern unique to the device owner. "Using this, a third party could go further and try to identify a user's identity, either through an e-mail address that was requested at registration stage in the app or via turned on access to Android account credentials."
After that, the researchers said it is just a matter of time until a victim's detailed information is identified, including their daily routines and moments when they are entering important data. "And given the growing price for users' private data, we could fast find ourselves in a world where third parties monetise this vector."
Kaspersky Lab says the consequences should cyber criminals exploit this could be severe, as they are limited only by their imagination and level of technical knowledge. For example, they could decrypt the received signals using neural networks, waylay victims, or install skimmers at their favourite ATMs.
Sergey Lurye, co-author of the research at Kaspersky Lab, says smart wearables are not just miniature gadgets, they are cyber-physical systems that can record, store and process physical parameters.
"Our research shows that even very simple algorithms, being run on the smart watch itself, are able to capture the unique user's profile of accelerometer and gyroscope signals. These profiles can then be used to de-anonymise the user and track his or her activities, including the moments when entering sensitive information. And this can be done via legitimate smart watch apps that covertly send signal data to third parties."