It turns out that it’s no longer safe to type in passwords when using a connected device in public even if no one’s looking over your shoulder. It was announced today that computer forensics experts at the University of Massachusetts in Lowell have discovered a method for stealing a password entered on a smartphone or tablet using video taken Google Glass or other video-capturing devices.
Google Glass: Details on the method used to figure out passwords
The U Mass researchers developed sophisticated software that can map the shadows from fingertips as they type on a tablet or smartphone. Then an algorithm converts those touch points into the actual keys they were touching, meaning the researchers can decipher the password.
The researchers tested their algorithm on videos of passwords entered on an Apple Inc. (NASDAQ:iPad, Google (NASDAQ:GOOG) (NASDAQ: ) Nexus 7 tablet and an iPhone 5.
Moreover, the new software can be used on a video taken by a variety of devices: Fu and his colleagues tried Google Glass, a cell phone video, a webcam and a camcorder. Of particular note, the software worked even with a camcorder video taken at a distance of more than 140 feet.
Pointing a camcorder at someone, however, obviously creates suspicion. The growing ubiquity of wearable technology is what makes this approach a real threat today. A bad actor with a smartwatch or Google Glass could easily video record a person typing on his phone or tablet at a cafe without anyone noticing.
According to lead researcher Xinwen Fu, Google Glass is particularly well suited for this type of surreptitious recording activity. “The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video … they see your finger, the password is stolen,” Fu said.
Statement from Google
Google has publicly stated that it carefully designed Glass with privacy in mind, and that the device emits easily seen signals when it is being used to video record.
“Unfortunately, stealing passwords by watching people as they type them into ATMs and laptops is nothing new,” a Google spokesman explained in an email. “The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.”