Users of smart watches and other wearables have been warned that the data they transmit could be used to build 'behaviourial profiles' of them, identifying who they are and even their credit card PINs.
Smartwatches and other wearables could be used to spy on their owners by collecting accelerometer and gyroscope signals that, after analysis, could be turned into datasets unique to the smartwatch owner, the security software company warns. These datasets, if misused, enable the user's activities to be monitored, including the entering of sensitive information.
Using mathematical algorithms available to the wearable's built-in compute power, Kaspersky claims that it is possible to identify behavioural patterns, periods of time when - and where - users are moving, and for how long.
The signal dataset itself is a behavioural pattern unique to the device owner
It was also possible to identify sensitive user activities, including entering a passphrase on the computer with an accuracy of up to 96 per cent, entering a PIN code at the ATM (approximately 87 per cent) and unlocking a mobile phone (approximately 64 per cent).
The signal dataset itself is a behavioural pattern unique to the device owner, the researchers added. Using this, a third party could try to work out a user's identity, either through an email address that requested at registration stage in the app or via turned-on access to Android account credentials.
After that, it would be possible to glean precise information about the user, including their daily routines and moments when they are entering important data. And given the growing price for users' private data, Kaspersky suggests, third parties could potentially monetise this attack vector.
Kaspersky claims that the warnings apply to both smart watches and other wearable devices, particularly fitness trackers.
"To carry out their main functions, most of these devices are equipped with built-in acceleration sensors (accelerometers), which are often combined with rotation sensors (gyroscopes) for step counting and identifying the user's current position.
A third party could try to work out a user's identity, either through an email address that requested at registration stage in the app or via turned-on access to Android account credentials
"Kaspersky Lab experts decided to examine what user information these sensors could provide to unauthorised third parties, and took a closer look at several smartwatches from a number of vendors," the company claimed.
Its research centred on the outputs of the built-in accelerometer and gyroscopes, which can determine the walking patterns of users, as well as the type of transport the wearer is using should they take a car, bus or train, with a high degree of accuracy.
More than that, though, they claim that the read-outs from the accelerometer can be used to capture a PIN being entered at, for example, a cash machine.
In a blog explaining the research, Kaspersky security researchers Sergey Lurye and Boris Stepanov, wrote: "It's not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, [a] section of the ‘accelerometer log' gives away certain information. For example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad.
"With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80 per cent (according to colleagues from Stevens Institute of Technology).
"The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding."
Loon's balloons will bring the internet to remote areas of the country
New clues into the biosphere on Earth in the lead up to the emergence of animal life
Planetary collision might shed light on the chaotic processes behind a star's early development
Success boosted by streamer Ninja and celebrity gamers