Your fancy new smartwatch can be hacked to monitor and steal your passwords

Smartwatches’ abilities to pay for our food and monitor our physical activities are only possible thanks to the myriad sensors packed into their tiny metal bodies.

These sophisticated sensors are often trotted out as evidence that they’re the next big thing in mobile technology, but one unintended side effect of their sensitive internals could be the gradual chipping away of your digital privacy.

In his master’s thesis for the IT University of Copenhagen, Tony Beltramelli explains and demonstrates how a person generates information whenever they move their hand while wearing a smartwatch. That information can be analyzed and interpreted as a hand’s motion through physical space and, in some instances, as a hand pressing the keys on a pin pad.

“Wristband and armband devices such as smartwatches and fitness trackers already took an important place in the consumer electronics market and are becoming ubiquitous,” Beltramelli explains. “By their very nature of being wearable, these devices, however, provide a new pervasive attack surface threatening users privacy, among others.”

In a video accompanying his thesis, Beltramelli demonstrates how a compromised smartwatch can make sense of which buttons he’s pressing just by sensing the way his hand moves.

The basic principal behind the exploit is similar to the way in which intelligent keystroke-tracking programs have been shown to be able to recognize individual people based on behavioral biometrics profiles created from their typing habits.

A hand’s movement through space, while slightly different from person to person, could, in theory, be mined for personal credentials and used to make smarter attempts at compromising someone’s logins. This problem’s made worse by the fact that the size of most keyboards and pin pads are standardized to make people feel more comfortable while using them.

As Gizmodo points out, Beltramelli’s research shouldn’t be immediate cause for alarm. The exploit could only be performed because the researcher has full, deep access to a compromised smartwatch’s internals. Anyone using an Apple or Android watch fresh out of the box should be just fine.

Be warned, though, this is why Google and Apple really insist that you keep sketchy apps from third-party app stores far, far away from your fancy new toys.