Sophos Cloud Optix
Google is absolutely right: There’s nothing new about being able to steal somebody’s password by looking over their shoulder as they jab at their gadget.
But give snoopers Superman bionic eyeballs of steel, enhance those bionic eyeballs with a shadow-tracking recognition algorithm, and watch their snooping powers blow past mere mortal barriers of distance to snatch up passcodes with the prowess of, well, let’s say a mouse-stalking hawk on steroids.
Researchers have pretty much done that.
As Wired reports, researchers at the US University of Massachusetts Lowell recently found that they could boost their nosiness capabilities by using video from wearables.
The researchers tested a bunch of devices, including Google Glass, an iPhone 5, a Samsung smartwatch and a webcam.
In addition to using video from the devices, the researchers also juiced up the scenario with their video recognition algorithm, which tracks the shadows cast by finger taps.
Outfitted thusly, the researchers were able to surreptitiously pick up 4-digit PIN codes typed into an iPad from nearly 10 feet away. Better yet with a high-def camcorder, which they used to grab passcodes from nearly 150 feet away.
What about an 8-digit PIN? That would make the success rate sag just a wee bit, they said, but still we’d be looking at snoopers being able to capture about 73% of passcodes.
The video didn’t even have to capture images to achieve a startling level of success at deciphering passcodes; the researchers’ software could actually discern the codes even without images of the target devices’ displays.
Video captured by Glass produced a correct four digit PIN from 3 metres away with 83% accuracy, which was hiked up to more than 90% with manual corrections.
The high-definition webcam, meanwhile, was accurate 92% of the time.
As was shown in an illustration, the researchers could point a $700 webcam down from four stories up in a building, target somebody all the way across the street, and peek in on that target sitting on a stoop a whole 44 metres away.
That’s not over-the-shoulder, either – that’s head-on, where a nosey peepster would be able to see shadows cast by typing fingers even on a glare-obscured screen.
As Wired reports, the researchers aren’t pointing any fingers at Glass.
The passcode capture success rates of all the tested devices were quite high, after all.
Rather, they’re pointing a finger at all wearables being risk vectors.
Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at Black Hat USA 2014 in August, said that the research shows the risks presented with all sorts of wearables, which make surveillance ever easier:
I think of this as a kind of alert about Google Glass, smartwatches, all these devices. If someone can take a video of you typing on the screen, you lose everything.
Google’s poo-pooed the idea that there’s anything new about spying on somebody to get their passcode.
From a statement Google sent to Wired:
Unfortunately, stealing passwords by watching people as they type them ... is nothing new. ... We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.
Well, though, is it?
Fu thinks that Glass is actually kind of perfect for spying, face-perched as it is:
Any camera works, but you can’t hold your iPhone over someone to do this Because Glass is on your head, it’s perfect for this kind of sneaky attack.
If multiple wearable devices or high definition camcorders can do this, it means that the passcode authentication system itself must be changed, and that’s exactly what the UMass researchers are suggesting.
Namely, they’ve built an Android add-on that randomises the layout of a device’s lockscreen keypad.
They’ll release that app, called Privacy Enhancing Keyboard, or PEK, in Google’s Play store and as an Android operating system update at the time of their Black Hat talk.
After all, Fu says, we can’t (alas!) stop people from videotaping us:
You can’t prevent people from taking videos. But for the research community, we need to think about how we design our authentication in a better way.
Indeed – it’s probably far more productive to use design so as to make people’s gadget-/software-enhanced eyeballs cross in frustration, rather than try to get them to stop pointing their recording devices our way!
Image of tablet courtesy of Shutterstock.
“Namely, they’ve built an Android add-on that randomises the layout of a device’s lockscreen keypad.”
An “obvious” enhancement – but I remember my PIN by the pattern on the keypad – randomise that keypad and I might be stuffed!
We have though never really worried about shops having CCTV covering their till areas (and consequently chip and pin keypads). Perhaps we should. I already get funny looks as I cover the keypad with one hand and then with the other hand fake tap a few characters before tapping my pin pattern followed by a few more fake taps. Perhaps I shall prove not to be so paranoid – certainly the one time I had a card compromised it was a real pain (a cancelled card just before Christmas!).
My Cyanogenmod-based Android build has had a “randomise keypad for PIN” option for…errr, quite some time, as far as I’m aware. Like you, I use the pattern of my (very long) PIN to help me type it quickly and fluidly, so the random order is worthless to me. (As an aside, Cyanogenmod also makes it easy to have a PIN for the lockscreen but a full QWERTY password for the device encryption.)
CCTV is definitely something to be wary of, not least because the cameras may be hard to spot, and are often directly above you, thus giving a clear view of the device, keypad and screen.
My advice for ATMs and EFTPOS terminals is: examine the keypad to ensure there isn’t a fake on on top of the real one; be aware of who’s nearby – look around without any sense of embarrassment; cover your typing hand completely with your other hand (or magazine, bag, etc.) Most keypads have a small bump in the middle of the [5] key to help you get your bearings.
Like you, I also make bogus finger movements to confuse shoulder surfers, though a video that shows the keypad and the display will probably undo that trick as a character (usually “*”) appears every time you actually hit a character.
Also…I wouldn’t use a 4-digit PIN for a mobile device. There’s no need. Androids let you have up to 17 digits. (Go for 10 or more and you have the handy side-effect that you can arrange to press each key at least once, which makes your greasespots into less of a hint.)
As for the student’s extrapolation from 80% success with 4-digit PINs to 70% success for 8-character QWERTYs…I’m sceptical.
I’d be much more worried about them getting PIN codes from people using ATMs or chip-and-PIN payment machines.
What about BlackBerry’s picture password? I have let people watch me use it 10 times in a row and they still can’t get in!
Recording studios have red and green lights to indicate whether recording is in progress or not. I suggest that Google Glass has a similar permanent, non-hackable feature: When it’s not recording data or video it glows a subtle green, but when it’s recording it has a red light sweeping from side to side like a Cylon.