MoLe: a smartwatch side-channel attack that poses no real world threat


Researchers from the University of Illinois have published a paper entitled MoLe: Motion Leaks through Smartwatch Sensors, which, if you believed everything you read online, might lead you to think that anyone with a smartwatch (or fitness band for that matter) is at imminent risk of giving hackers the keys to their data kingdoms.

“Another reason not to get a smartwatch” or “you are at an increased risk of losing your privacy” and “smartwatches and connected fitness gadgets can open the door to hackers” were typical media reactions to the paper.

If you actually read it through rather than just watch the somewhat dumbed down video explanation you will soon realise it’s not quite as straightforward as all that.

Let’s start by looking at the abstract:

“Imagine a user typing on a laptop keyboard while wearing a smart watch. This paper asks whether motion sensors from the watch can leak information about what the user is typing. While it’s not surprising that some information will be leaked, the question is how much?

“We find that when motion signal processing is combined with patterns in English language, the leakage is substantial. Reported results show that when a user types a word ‘W’ it is possible to shortlist a median of 24 words, such that ‘W’ is in this shortlist. When the word is longer than 6 characters, the median shortlist drops to 10. Of course, such leaks happen without requiring any training from the user, and also under the (obvious) condition that the watch is only on the left hand. We believe this is surprising and merits awareness, especially in light of various continuous sensing apps that are emerging in the app market. Moreover, we discover additional “leaks” that can further reduce the shortlist – we leave these exploitations to future work.”

Like most side-channel attacks it is fine in theory, OK in the lab, and pretty poor in the real world scenario.

All of which sounds pretty frightening and just serves to confirm the media reports, right? Well not really. Although, as someone who could best be described as a security geek, I love this kind of research and find it absolutely fascinating, I don’t think that the 25 people who have actually bought a smartwatch need to be asking for a refund just yet.

This type of research falls firmly in the interesting but not that relevant as far as I am concerned, although I should really add a ‘yet’ to the end of that declaration just to cover my back. Why so?

Well, like most side-channel attacks it is fine in theory, OK in the lab, and pretty poor in the real world scenario. For a start the target needs to be wearing a smartwatch (in the research it was a Samsung Gear Live model), then they need to be wearing it on their left hand, and the attacker needs to have got the victim to install the necessary malware app on the watch for good measure. If that wasn’t enough to whittle the target pool down to next to nothing already, there’s more.

The researchers actually admit that some further assumptions make “MoLe inadequate for launching a real life attack” at this point in time, although they also reckon a bit more work might allow the assumptions to be relaxed in time. So what are these additional requirements for the attack to stand any chance of being successful?

Well there’s the big one right at the top which is “The evaluation is performed in a controlled environment where volunteers type one word at a time (as opposed to free-flowing sentences).”

Ah, right. We could stop right there then, couldn’t we, as nobody works like that in the real world. But we won’t, because I’m sure you want to know the rest.

Assumption number two is that the target is typing “valid English words” so any passwords containing interspersed, non-English character-sequences, or any sensibly secure password in other words will not be detectable. Number three is that both attacker and victim are wearing the same watch, although this is mitigated somewhat by an attacker being able to generate a character point cloud (CPC) for different models and use the one most appropriate to the one the target is wearing apparently.

Assumption number four gets back on the ‘whaaaaaat’ track nicely with “We assume the user is seasoned in typing in that he/she roughly uses the appropriate fingers – novice typists who do not abide by basic typing rules may not be subject to our proposed attacks.”

So are smartwatch wearers safe from the bad guys then? Erm, nope, actually.

I type for a living and doubt I type properly as I only use two fingers and my thumbs for the space bar. I can rack up the same sort of speed as a proper typist, so have never bothered to change. Of course, I am not slowly typing one word at a time, but tend to go for the free flowing sentences approach myself so have already foiled the hacker.

I love the idea of being able to tell what someone is typing by monitoring the movements through a wearable with motion sensors, but the reality is that outside of the lab and those almost ridiculous ‘assumptions’ it just ain’t gonna work.

I like the fact that if the victim uses the space bar it causes problems, for example. So are smartwatch wearers safe from the bad guys then? Erm, nope, actually. When Trend Micro did some penetration testing on a range of smartwatches, including the most popular models on the market such as the Apple Watch and the Moto 360, it found that all of them saved data locally allowing the potential for hackers to access that data when the device is out of the range of a paired smartphone.

This data included unread notifications, calendar information, and on the Apple Watch even ticketing data from the Passbook app. The fact that there was no user authentication via password by default on any of the devices just makes them even more insecure.

HP Fortify researchers found that even when authenticated was enabled, 30 per cent were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration. Oh, and although all the tested watches implemented SSL/TLS, some 40 per cent of the cloud connections used by them were vulnerable to the POODLE attack, were using weak ciphers or outdated protocols like SSL v2.

Smartwatches are not secure, that much is a given. However, that the bad guy might be collecting our left-handed, single-worded, properly typed communications in order to reveal extremely weak passwords that could be cracked by my six year old granddaughter is not something I am going to be losing sleep over. Neither should you.