In the paper, a team of researchers from the Stevens Institute of Technology and Binghamton University describe a deceptively straightforward method that can reportedly guess your password with about 80 percent accuracy on the first attempt. Although the paper doesn't name specific devices that are vulnerable, it does note that many record your hand's movements with enough detail to precisely identify keypresses.
"The team was able to record millimeter-level information of fine-grained hand movements from accelerometers, gyroscopes and magnetometers inside the wearable technologies regardless of a hand's pose," Phys.org reports. While the data alone won't tell an attacker you're using your birthday as your PIN, the researchers built their own algorithm that can decipher the motion data even if they don't know anything about the keypad you're poking at. What's more: an attacker can get this data either by using malware installed directly on the device or remotely by eavesdropping on the Bluetooth connection that sends the data to your smartphone.
As for a solution, the research team suggests developers should obfuscate sensitive data by introducing "a certain type of noise data" that would allow it to still be used for fitness tracking, but not keystroke-guessing. Or, you could always take a low-tech approach and remember to enter your passwords with the hand that isn't wearing a highly sophisticated motion tracking device.