Researchers at the University of Massachusetts Lowell have developed a technique for surreptitiously stealing iPad PIN codes, and all it takes is a camera. The one built into Google Glass and Samsung’s Gear Smartwatches are a perfect fit too. The method relies upon a new video recognition algorithm that can estimate where a person is tapping on a touchscreen even if the screen itself is not completely visible.
The software developed by Professor Xinwen Fu and his students follows the shadows from finger taps on the screen, meaning it doesn’t have to have a good view of what is actually on the screen. Using a reference image of the device, the algorithm plots the most likely location of each tap by watching for the quick up and down movements of each tap.
The team tested Google Glass and Samsung’s Gear Smartwatch in particular because they would be very effective at this attack. The victim wouldn’t see you holding up a camera to film the screen, and the video quality from these devices is good enough for a high degree of accuracy. A four-digit PIN was correctly detected by Glass from three meters away 83% of the time, or more than 90% with manual correction of errors. The Gear was about the same.
Of course, it’s not only about wearables. Any video taken from across a room could be plugged into the UMass algorithm. An iPhone 5 was able to figure out the password from three meters away every single time. A $72 Logitech HD webcam was able to see passwords from more than 150 feet away as well.
The team didn’t test more complicated passwords, but based on the accuracy of the algorithm, Fu estimates Glass could be used to detect an eight-character password on the QWERTY keyboard nearly 80% of the time. Swiping passwords by snooping on your screen is nothing new, but the UMass researchers have shown it’s much harder to guard against than we thought. They will be demoing the technique at Black Hat and releasing an Android app that provides a randomized keypad for entering PIN codes.