How Google Glass Snoops Steal Your Passcode

Researchers are refining the techniques of surreptitiously videoing people as they type in their passwords.

Other hackers have shown it's possible to perform automated over-the-shoulder password stealing. But Fu notes that older video tools had to actually see the display, which often is impossible from a distance or from indirect angles. (See UMass's PIN-capturing footage taken by Glass in the GIF below.) His team's video recognition software can spot passcodes even when the screen is unreadable, based on its understanding of an iPad's geometry and the position of the user's fingers. It maps its image of the angled iPad onto a "reference" image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers' shadows.

Slashdot thread.

Posted on July 10, 2014 at 2:25 PM • 21 Comments

Comments

clownroyalJuly 10, 2014 2:43 PM

Certainly. But is anyone really surprised? Before the white-hats began reporting on this, the black-hats were probably doing it from day zero.

x11794AJuly 10, 2014 3:15 PM

This doesn't seem particularly specific to Glass or other HUDs. If you want to record people surreptitiously, having a big conspicuous camera on your face is probably not the best way to do it.

HulioJuly 10, 2014 7:03 PM

@Anura "Randomize the keypad."


A reasonable proposal. Wonder why it isn't already default. Ubiquitous surveillance is awfully similar to sewage; it's everywhere, but nobody wants to be reminded of it.

ThothJuly 10, 2014 9:46 PM

Critical work (accessing personal or critical systems and logins) should not be done in the public because anyone can shoulder surf and other anti-security measures which are hard to defend against.

If you are unlocking a phone, position your phone so your body covers much of the screen and only you can see the screen to key in your password or your android pattern so that no shoulder surfing or watch cameras would be effective in catching your unlock patterns or passwords.

Randomizing blinking keyboards where the keys appear and disappear for a split millisecond to prevent screenshots but undetectable to human eyes would be a useful feature. This sort of keyboards require some graphics processing but it's not going to be a big resource sink.

A stupid thing would be for knee-jerk reactions to require firearms permits to carry these type of gadgets though maybe a bad idea but it smells like it may come soon.


SteeeveJuly 10, 2014 11:10 PM

I think with a nice enough camera you can figure out the pin combination for a tumbler lock too.

If I trusted SIM cards I would suggest solutions like google wallet.

ImdadJuly 11, 2014 12:17 AM

Randomizing key position is an very interesting technique but it will probably lower the speed of typing. Anybody aware of such apps in iOS and Android?
Am unable to find one :(

AnuraJuly 11, 2014 3:08 AM

@Imdad

I know of none, but as for the typing speed there is something you can do to speed it up: different colored buttons. Numbers have to be read, but colors should make it a lot quicker to spot. Shapes might work as well, especially for color-blind people. I say combine them both, and let people customize the color scheme and what shapes go with what numbers (but still write the numbers on them).

I would do it myself, but I haven't done Android development before, and I hate GUI development in general - plus I have a tendency not to finish what I start.

PetterJuly 11, 2014 3:11 AM

@Anura

For 20 odd years ago there were a keypad for entrance security which used randomised positions for the numbers on the keypad.
If I remember correctly the screen was a glass covered greyscale LCD display with some kind of protection for over the shoulder or bystanders on the side.

It was a clever idea ideed but I never saw it in the real, only in a security paper ad.

JeffHJuly 11, 2014 3:36 AM

I think the more interesting aspect of the piece is the technology coupled with range of surveillance. For example, they mention that a good zoom camcorder can capture your login using this technique at 44 metres i.e. from across the street.

I also wonder whether this technique is applicable more generally; this is being used to capture keystrokes for login - could it do more general typing (mobile devices' keypads are usually in the same place)? Who needs electronic surveillance of devices if you can see the user's fingers and extrapolate?

We're probably a long way off ubiquitous CCTV of high enough quality that the mere act of walking down the street tapping away can be picked up, but it wouldn't surprise me if someone's looking into it.

bhJuly 11, 2014 3:56 AM

@Anura et al: Here in France, I've noticed bank and ISP websites that have randomized on-screen keypads for certain (numeric) fields.

PranavJuly 11, 2014 4:23 AM

As regards randomizing keys, how would users of assistive technologies such as screen readers handle them? It would be a very slow process. Hmm, time for using multiple authentication schemes.

AlanJuly 11, 2014 9:35 AM

Until the next version, iOS wouldn't allow non-Apple keyboards, and even then it might not allow them for logging on. (For security, that's a good thing, right?)

Android, well, pretty much anything goes.

Windows Phone does not allow third-party keyboards, but the built-in keyboard is pretty neat, still no randomization.

ImdadJuly 11, 2014 7:51 PM

This also raises another big question. Well on your phone with real keys you cannot randomize the keys also big chances of government capturing and analyzing it in-order to spy on you. Or there could even be a NSA Program written specially for this purpose. In this case we could not actually do anything. Because we actually don't know where does the CCTV Camera has been installed. Incase of virtual keyboard and concerning speed. If keys are randomized your speed will lower down which will give more time for the application to capture the new key pattern and later it can easily match with finger touch.

xknx3jnf3kjJuly 11, 2014 10:31 PM

Pretty much anything can do this with anything if you want to make a geometry database and code the algorithms for symmetry matching based on states of the camera..

Wait till people correlate electronic noise with video symmetry recognition. You can intercept anything then, given it has shotty design like RSA dongles, most access control units, POSi units etc..

People are already doing this with video signals and RF leakage successfully..

BTW their solution breaks with irregular symmetry or movement..

Keith HussJuly 13, 2014 5:25 PM

All the more reason to use Touch ID. Apple will allow third party applications to authenticate with Touch ID in iOS 8

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.