My grad school Alma Mater, Stevens Institute of Technology has discovered how your Fitbit or Smart watch could give away your PIN:
Stevens researchers discovered that the motions of your hands as you use PIN pads, which is continually and automatically recorded by your device, can be hacked in real time and used to guess your PIN with more than 90 percent accuracy within a few attempts.
The Stevens team outfitted 20 volunteers with an array of fitness wristbands and smart watches, then asked them to make some 5,000 sample PIN entries on keypads or laptop keyboards while “sniffing” the packets of Bluetooth low energy (BLE) data transmitted by sensors in those devices to paired smartphones.
“There are two kinds of potential attacks here: sniffing attacks and internal attacks,” explains Chen. “An adversary can place a wireless ‘sniffer’ close to a key-based security system and eavesdrop sensor data from wearable devices. Or, in an internal attack, an adversary accesses sensors in the devices via malware. The malware waits until the victim accesses a key-based security system to collect the sensor data.”
After capturing accelerometer, gyroscope and magnetometer data from the devices and using it to calculate typical distances between and directions of consecutive key entries, Chen’s team developed a backward-inference algorithm to predict four-digit PIN codes.