Looking over a nearby person's shoulder is a common technique used to steal a PIN code for a device that is targeted for imminent theft. But as reported by Wired, a research team from the University of Massachusetts Lowell has taken this shoulder surfing trick to a whole new level by increasing the working distance and automating the process using Google Glass and other similar camera-equipped, mobile products.
The UMass Lowell researchers improved passcode theft by analyzing video captured from wearable and mobile devices such as Google Glass, the Samsung Gear smartwatch and the iPhone. The system anlyzes the incoming video using a custom video recognition algorithm that detects the shadows from finger taps and uses that information to predict PINs codes. Unlike the standard over-the-shoulder method that requires a direct view of the target device's display, the UMass method also can be employed at an indirect angle, allowing someone to steal a password while standing at your side.
(Image from Cyber Forensics Laboratory at University of Massachusetts Lowell)
The system is surprisingly accurate -- allowing a malicious user to capture PIN codes inconspicuously with at least 83 percent accuracy from a distance as far as three meters. This accuracy was improved to more than 90 percent when a sharper camera such as the iPhone was used or manual error correction by the researchers was added to the video analysis.
“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at the Black Hat security conference in August. “If someone can take a video of you typing on the screen, you lose everything.”
The researchers didn't test longer passwords, but believe they could reach an accuracy rate of 78 percent when stealing an 8-digit password from a device such as the iPad. If you are concerned about password hacking, your best line of defense is to cover your display as you type or when possible do away with a PIN code entirely such as by using the Touch ID fingerprint in the iPhone 5s.
With the results of this study, the researchers hope to convince mobile operating system companies to improve the security of their PIN input screens by taking steps such as randomizing the layout of the keypad.
Apple's Touch ID fingerprint authentication is of course another alternative to traditional passcodes. The feature launched on the iPhone 5s last year and is expected to make its way to the iPad and iPad mini later this year. Aside from increased security compared to passcodes, Touch ID has also increased usage of security features, with Apple noting during its WWDC presentation earlier this month that passcode/Touch ID usage has risen to 83% on the iPhone 5s, up from just 49% passcode usage previously.