Securing the Digital World

Wearables leaking your passwords? We can solve that.

Jul 19, 2016 | by Kayvan Alikhani |

Recently, I wrote about a newly published white-paper showing the power of wearable devices to help determine if users are who they claim to be, on a continuous basis.

The paper describes a method, which in part relies on correlating a user's gestures and movement on 2 devices in proximity of each other: The user's laptop keyboard, and a wristband wearable device.

If we know what constitutes as normal based on your behavior & hand gestures while you type, we'll know when it's not you who's typing away at the keyboard.

This all leads to good news for both users, and for IT security: Less friction during authentication, and more secure, continuous authentication.

But in order to collect your gestures and hand movements, we'd need to somehow ingest information from the wrist-band wearable, and from the laptop's keyboard.

How would we get such information? Sensor data coming from the wearable device, such as its accelerometers, gyroscopes, and magnetometers can help derive hand-pose-independent distances in between consecutive keystrokes on your laptop's keyboard.

However, as a team from Stevens Institute of Technology recently found (which TechCrunch covered in the article entitled Oops! Wearables can leak your PINs and passwords), in the wrong hands, the same technique can be applied to steal personal information, such as Passwords and Pins. (Check out the TechCrunch article discussing it here) .

Imagine a malicious application is installed on your wrist-band wearable, and you're about to enter your Password or Pin to access an app on your laptop.

Correlating your hand-pose-independent movement data to the actual characters you typed, is possible, especially if the last key entered while typing your password was the "Enter key." Knowing where the Enter key is located in relation to other keys on the keyboard, the malicious app can derive what you've typed for Pin/Password.

In this context, revealing user Password/Pin is just part of the problem. This means ANYTHING you type can potentially be reverse engineered. And oh, by the way, that "keyboard" can be an ATM machine keypad.

Let's back-up a little though, and consider the huge amount of effort it takes for this method to successfully reveal your Password/Pin. Sadly, there are much easier ways to get a user's password. Take your pick: Shoulder-surfing, key-logging, Phishing, Spoofing, looking through published password retrieved from breach du jour, where 100s of millions of passwords were compromised (again), network Sniffing, etc.

It all boils down to the following conclusion:

Use of Passwords, as the primary method of user authentication, is just not a smart idea anymore.

Said differently: The use of ANY single method of authentication to identify users, is no longer a good idea. For example, as I described, solely relying on biometrics has its own problems.

So what's the solution? Continuous Assurance with Multi-factor Authentication (MFA).

Consider the wearable compromise described above, and imagine that after all of that, the malicious app has your password. Now, the hacker tries to log in to a service, using your password, from their device.

Continuous Assurance kicks in:

  • Hacker's device is not a registered device -> Auth fails.
    Hacker spoofs the device registration process too?
  • User needs to be at a known location and the action they're doing needs to be considered normal. Neither are the case -> Auth fails.

Hacker spoofs location, but behavior is not normal?

  • Hacker needs to provide a second Auth factor, such as biometrics or One Time Passwords (OTP). The hacker has neither -> Auth fails.
  • Noticing repeated and failed attempts to log in with your password, Auth fails and access from that device/location/using password is denied. User is asked to change their password.

Can a hacker get through all of this? Yes, it's possible, but it's just not plausible, especially on any large scale.

With proper MFA policies in place, and with sound continuous assurance, your revealed password, while being problematic, doesn't give malicious apps keys to your kingdom.

With or without wearables, there's simply no reason for a modern IT solution, in the year 2016, to not offer at least some form of MFA to all its users.