Google is absolutely right: There’s nothing new about being able to steal somebody’s password by looking over their shoulder as they jab at their gadget.
But give snoopers Superman bionic eyeballs of steel, enhance those bionic eyeballs with a shadow-tracking recognition algorithm, and watch their snooping powers blow past mere mortal barriers of distance to snatch up passcodes with the prowess of, well, let’s say a mouse-stalking hawk on steroids.
Researchers have pretty much done that.
As Wired reports, researchers at the US University of Massachusetts Lowell recently found that they could boost their nosiness capabilities by using video from wearables.
The researchers tested a bunch of devices, including Google Glass, an iPhone 5, a Samsung smartwatch and a webcam.
In addition to using video from the devices, the researchers also juiced up the scenario with their video recognition algorithm, which tracks the shadows cast by finger taps.
Outfitted thusly, the researchers were able to surreptitiously pick up 4-digit PIN codes typed into an iPad from nearly 10 feet away. Better yet with a high-def camcorder, which they used to grab passcodes from nearly 150 feet away.
What about an 8-digit PIN? That would make the success rate sag just a wee bit, they said, but still we’d be looking at snoopers being able to capture about 73% of passcodes.
The video didn’t even have to capture images to achieve a startling level of success at deciphering passcodes; the researchers’ software could actually discern the codes even without images of the target devices’ displays.
Video captured by Glass produced a correct four digit PIN from 3 metres away with 83% accuracy, which was hiked up to more than 90% with manual corrections.
The high-definition webcam, meanwhile, was accurate 92% of the time.
As was shown in an illustration, the researchers could point a $700 webcam down from four stories up in a building, target somebody all the way across the street, and peek in on that target sitting on a stoop a whole 44 metres away.
That’s not over-the-shoulder, either – that’s head-on, where a nosey peepster would be able to see shadows cast by typing fingers even on a glare-obscured screen.
As Wired reports, the researchers aren’t pointing any fingers at Glass.
The passcode capture success rates of all the tested devices were quite high, after all.
Rather, they’re pointing a finger at all wearables being risk vectors.
Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at Black Hat USA 2014 in August, said that the research shows the risks presented with all sorts of wearables, which make surveillance ever easier:
I think of this as a kind of alert about Google Glass, smartwatches, all these devices. If someone can take a video of you typing on the screen, you lose everything.
Google’s poo-pooed the idea that there’s anything new about spying on somebody to get their passcode.
From a statement Google sent to Wired:
Unfortunately, stealing passwords by watching people as they type them ... is nothing new. ... We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.
Well, though, is it?
Fu thinks that Glass is actually kind of perfect for spying, face-perched as it is:
Any camera works, but you can’t hold your iPhone over someone to do this Because Glass is on your head, it’s perfect for this kind of sneaky attack.
If multiple wearable devices or high definition camcorders can do this, it means that the passcode authentication system itself must be changed, and that’s exactly what the UMass researchers are suggesting.
Namely, they’ve built an Android add-on that randomises the layout of a device’s lockscreen keypad.
They’ll release that app, called Privacy Enhancing Keyboard, or PEK, in Google’s Play store and as an Android operating system update at the time of their Black Hat talk.
After all, Fu says, we can’t (alas!) stop people from videotaping us:
You can’t prevent people from taking videos. But for the research community, we need to think about how we design our authentication in a better way.
Indeed – it’s probably far more productive to use design so as to make people’s gadget-/software-enhanced eyeballs cross in frustration, rather than try to get them to stop pointing their recording devices our way!Follow @NakedSecurity