If you’re in a coffee shop and you notice a few tables away a man is enjoying his beverage and logging into his iPad, can you steal his PIN? The answer to that question would depend on whether or not you could see his screen; thanks to new gadgets like Google Glass or smart watches it doesn’t matter if there is a glare or he’s too far away.
Researchers at the University of Massachusetts Lowell have discovered that they can use wearable technology such as Google Glass or Samsung smart watches to steal four-digit PIN codes from up to 10 feet away or 150 feet if you have a high definition camera! They created a custom-coded video recognition algorithm that tracks the shadows from fingertips which means the devices they used for recording didn’t even have to capture actual screen images to crack the PINs.
A computer science professor at the university — Xinwen Fu, plans to present his findings to a Black Hat security conference. He was quoted saying “I view this as a kind of warning about Google Glass and other wearable technology.” He also commented that “If someone can take a video of you typing on your screen then you can lose everything.”
Xinwen Fu’s students tested various devices with video capability such as: an iPhone 5 and a Logitech webcam. Glass was able to take four digit PINs from 3 meters away with around 83 percent accuracy and 90 percent accuracy with a little manual error correction. The Samsung smart watch captured the code about as well as Glass did. The iPhone 5 and Logitech cameras fared much better with their sharper images capturing the code 100 percent and 92 percent of the time respectively.
Some may argue that hackers have been able to do these automated over-the-shoulder type password attacks for some time now, Fu notes however, that “these older techniques had to see the screen which is often impossible from a distance or indirect angles.” The UMASS PIN capturing process which uses their custom designed algorithm was able to steal these pass codes even if the display was unreadable as in the case with indirect angles or from a distance.
Their software is able to do this due to its understanding of the iPad geometry, the position of the user’s fingers, and a reference image of a device; their software looks for abrupt up and down movements of dark crevices which represent the shadows of a finger on the display.
The researchers did not check for longer passwords but after some educated estimates they believe their method could detect 8 digit passwords on the iPad’s QWERTY keyboard.
Holding your iPhone over someone’s head to steal their PIN is quite obvious but due to Glass being used on the user’s face this tactic becomes much harder to notice and makes an attack of this type easier. Google – who has been on the defensive when it comes to Glass’s privacy concerns – stated that “because the screen on Google Glass lights up when activated that it makes people aware of Glass’s use.”
The problem doesn’t lie just with Glass though, as was shown with high definition cameras and other devices. The problem is with the PIN system itself, we just need to be more discrete when entering sensitive information.
(Image Source: iCLIPART)