Is your fitness tracker tracking you? Kaspersky security warning over smart watch and wearables' 'behavioural profiling'

Wearables' accelerometer and gyroscope signals can be used to identify individual users, claims Kaspersky

Kaspersky has warned the users of smart watches and other wearables to beware of ‘behavioural profiling' by the applications on the devices, which can effectively be used to individually identify and spy on them.

Smartwatches could potentially be used to spy on their owners, the security software company warns, by collecting silent accelerometer and gyroscope signals that, after analysis, could be turned into datasets unique to the smartwatch owner. These datasets, if misused, enable the user's activities to be monitored, including the entering of sensitive information.

Using mathematical algorithms available to the wearable's built-in compute power, Kaspersky claims that it is possible to identify behavioural patterns, periods of time when - and where - users are moving, and for how long.

The signal dataset itself is a behavioural pattern unique to the device owner

It was also possible to identify sensitive user activities, including entering a passphrase on the computer with an accuracy of up to 96 per cent, entering a PIN code at the ATM (approximately 87 per cent) and unlocking a mobile phone (approximately 64 per cent).

The signal dataset itself is a behavioural pattern unique to the device owner, the researchers added. Using this, a third party could try to work out a user's identity, either through an email address that requested at registration stage in the app or via turned-on access to Android account credentials.

After that, it would be possible to glean precise information about the user, including their daily routines and moments when they are entering important data. And given the growing price for users' private data, Kaspersky suggests, third parties could potentially monetise this attack vector.

Kaspersky claims that the warnings apply to both smart watches and other wearable devices, particularly fitness trackers.

"To carry out their main functions, most of these devices are equipped with built-in acceleration sensors (accelerometers), which are often combined with rotation sensors (gyroscopes) for step counting and identifying the user's current position.

A third party could try to work out a user's identity, either through an email address that requested at registration stage in the app or via turned-on access to Android account credentials

"Kaspersky Lab experts decided to examine what user information these sensors could provide to unauthorised third parties, and took a closer look at several smartwatches from a number of vendors," the company claimed.

Its research centred on the outputs of the built-in accelerometer and gyroscopes, which can determine the walking patterns of users, as well as the type of transport the wearer is using should they take a car, bus or train, with a high degree of accuracy.

More than that, though, they claim that the read-outs from the accelerometer can be used to capture a PIN being entered at, for example, a cash machine.

In a blog explaining the research, Kaspersky security researchers Sergey Lurye and Boris Stepanov, wrote: "It's not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, [a] section of the ‘accelerometer log' gives away certain information. For example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad.

"With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80 per cent (according to colleagues from Stevens Institute of Technology).

"The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding."