Forgot your password?
typodupeerror
Google Privacy Security

Researchers Develop New Way To Steal Passwords Using Google Glass 116

Posted by samzenpus
from the let's-see-what-you-typed-there dept.
mpicpp writes with a story about researchers who have developed a way to steal passwords using video-capturing devices.Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen — meaning glare is not an antidote. The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode. They tested the algorithm on passwords entered on an Apple iPad, Google's Nexus 7 tablet, and an iPhone 5.
This discussion has been archived. No new comments can be posted.

Researchers Develop New Way To Steal Passwords Using Google Glass

Comments Filter:
  • That does it (Score:2, Insightful)

    by cheesybagel (670288)

    Time to trademark a 'No Glass Allowed' symbol.

    • by swillden (191260) <shawn-ds@willden.org> on Monday July 07, 2014 @06:04PM (#47403319) Homepage Journal

      Time to trademark a 'No Glass Allowed' symbol.

      Better make it "No Cameras Allowed". Which, incidentally, also means "No Smartphones or Tablets Allowed", since they all have cameras... which would actually eliminate the risk of passwords being stolen as they're entered into a smartphone or tablet, since no smartphones or tablets are allowed. Problem solved!

    • by mrsquid0 (1335303)

      These glassholes who whine about Google Glass are not very bright.

    • by meerling (1487879)
      This has nothing to do with google glass, other than a headline whore trying to hype his article.
      Any video capture device, like every smartphone, security camera, and other form of video camera on the planet can be used for this.
      • by Carewolf (581105)

        Yeah if you had it on all the time and mounted on your face. Oh wait, that is just Google glass.

        • by pantaril (1624521)

          Yeah if you had it on all the time and mounted on your face.

          There are no such requirements for this method of password stealing to work.

  • by Anonymous Coward on Monday July 07, 2014 @05:38PM (#47403105)

    TLDR - Researchers steal passwords by watching them being entered.

    • by Anonymous Coward

      The fact that the device is out in the open when the password is entered is the problem here.

      There's one technology that solves this problem, and that technology is genital recognition. It works like a password, but it depends on the unique pattern exhibited by each individual's genitalia.

      When a password needs to be entered, the user puts the phone down his or her pants/skirt/dress/whatever, and presses the screen against his or her genitalia. The pattern is then analyzed and compared against known data poi

    • by Mikkeles (698461)

      How well does this work for randomized keypad layouts?

  • I've always thought (Score:5, Interesting)

    by Registered Coward v2 (447531) on Monday July 07, 2014 @05:40PM (#47403125)
    electronic keypads should randomize the numeric order and that the device should not mirror the letter typed on the inout line or on the keypad.
    • Indeed they should. but can you imagine the number of password/pin resets the average Joe would then generate?
    • Being able to customize the keyboard based on the current input required is one of the best feature of virtual keyboards. I thought everyone would be randomizing the keyboard for the "password" field by now.

      • by vux984 (928602)

        I thought everyone would be randomizing the keyboard for the "password" field by now.

        You thought everyone would want to be reduced to the level of "hunt and peck" they were at the very first the time they saw a keyboard EVERY single time they needed to enter a password?

        And what does it get you as a defense vs "google glass attack"? Well, not only do they have to see you enter the password from some oblique angle but for one instant during entry or before they need to see your 'one time virtual keyboard' or

    • by vux984 (928602)

      Some do.

      But they are a pain to use, since most of us do password entry with some muscle memory, and on a smart phone nobody which one opens and unlocks 100 times a day nobody is going to want to have to exert that much effort.

      • by Mal-2 (675116)

        If you're doing it by muscle memory, you can do it with your hand covered. Problem solved.

        • by vux984 (928602)

          On a physical keypad maybe. Not the one on my phone, where the slighest bit of alignment can result in a bad entry.... trebly true if we're talking passphrases using the alpha numeric keyboard.

          Muscle memory is an assist, not a complete solution.

    • The MMO WildStar uses a randomized keypad for their two-factor authenticator input.

      After a while, you get pretty good at it.

      • by Buzer (809214)

        That's horrible use case. It really should not matter if the hacker can get your used one time token after you have entered it. Of course, it's bigger deal if they are not actually one time tokens like in Wildstar (you can use the token until it expires), but that should be fixed by making them one time tokens.

        Oh yeah, and their reasoning was that it would protect users against drive-by Javascript keylogger [wildstar-online.com] (on desktop client).

    • electronic keypads should randomize the numeric order and that the device should not mirror the letter typed on the inout line or on the keypad.

      OR... you could just walk around as you type throwing off their algorithm and not introduce another overly complicated and insanely annoying security feature that would simply push people into not securing their devices at all.

    • by jittles (1613415)

      electronic keypads should randomize the numeric order and that the device should not mirror the letter typed on the inout line or on the keypad.

      I used to work at a secure facility with a keypad like this. It was the first stage to getting into the building. You would hit a button and the digits would randomize. I eventually got to the point where I could look at the pad and input my 6 digit code within about 2 seconds. It took me about 2-3 weeks to get that down pat. After that, I would only mess up about once or twice a month.

    • I can only agree when you have a keypad that only has one code (one user), and you use it daily. Otherwise the used keys get worn out, which can help possible intruders. For a 4 digit PIN you will have 4!=24 possibilities instead of 10^4=10000, and even less when one digit occurs twice.

  • Google Glass only? (Score:5, Insightful)

    by tomhath (637240) on Monday July 07, 2014 @05:44PM (#47403159)
    I suppose you can be more subtle about it, but really any video cam would work just as well. Especially if you set it up near a place where people will be typing a useful password instead of loitering and staring at people.
    • by oodaloop (1229816) on Monday July 07, 2014 @05:56PM (#47403247)
      I know, I must be new here and everything, but it does in the first sentence of the fantastic summary, "and other video-capturing devices".
    • And why limit it to just passwords? There's a whole onscreen keyboard there to be watched.

    • by Carewolf (581105)

      Try taking a handheld camera and hold it at people who are typing their phone or ATM pincode and see what happens... (Warning damage yo your face may occur). The problem is that you can't pretend it is off like you can with a google glass.

      • Step 1: Put on a dress shirt (or any shirt with a pocket on the front).
        Step 2: Start your camera video recording and put it on your pocket (camera facing out, of course).
        Step 3: Wait in line behind the person and position yourself so that you have a good view but also so that it's not obvious what you are doing. Pretend to be looking at something else. (Look at your watch or a book or something.)
        Step 4: Review the footage later and get the person's password or PIN.

        Wouldn't be hard to do, really.

    • You could easily set up a telescope and camera on a balcony on an elevated point overlooking target area.

  • Cover your input (Score:5, Insightful)

    by briancox2 (2417470) on Monday July 07, 2014 @05:46PM (#47403163) Homepage Journal
    For the last couple of years I have been completely covering any input I give to a phone unlock or ATM PIN given. With cameras everywhere, this was only a matter of time.
    • by Hamsterdan (815291) on Monday July 07, 2014 @06:29PM (#47403505)

      Damn you! When I tried to cover my hand with the other one, my phone dropped to the floor...

      • I never said it was easy. =)
        • So, what? You approach well endowed women of the appropriate height, say "Excuse me for a second", and place your phone on their voluminous cleavage, freeing both hands for securely entering your password?

          That's ingenious!

          • Actually, going under the large shelf of boob provides enough coverage and you can continue to hold both hands on your phone. Which is where you obviously want them.
    • by ebvwfbw (864834)

      For the last couple of years I have been completely covering any input I give to a phone unlock or ATM PIN given. With cameras everywhere, this was only a matter of time.

      Should have picked a better pin than 0000.

  • by pr0t0 (216378) on Monday July 07, 2014 @05:47PM (#47403177)

    As the video points out, this is not limited to Google Glass, any video capturing device will work. But beyond that, this is really kind of obvious. Yeah, video recording someone entering their password on a touch device will give you a fairly accurate idea of what that password is. Record, playback at 1/4 speed, password. I would bet that security camera footage might even be better to work with due to the angle. The custom software I suppose is a nice achievement, but I would guess it's not all that necessary.

    • by tlhIngan (30335)

      As the video points out, this is not limited to Google Glass, any video capturing device will work. But beyond that, this is really kind of obvious. Yeah, video recording someone entering their password on a touch device will give you a fairly accurate idea of what that password is. Record, playback at 1/4 speed, password. I would bet that security camera footage might even be better to work with due to the angle. The custom software I suppose is a nice achievement, but I would guess it's not all that neces

      • by kqs (1038910)

        Seems rather the opposite. We're very good at noticing when someone is looking at us (a leftover from being prey I suspect), but I always see people standing, holding their phone angled slightly (pointed nicely at any laptops at nearby tables). Add a fake game screen while the camera runs for extra stealth.

      • by unrtst (777550)

        Except with Glass it's easier to do it by casually looking in the direction of the person. I'm fairly certain if someone has their smartphone or camcorder pointed in your direction steadily it's a little more obvious than someone just looking past you who happens to be wearing Glass.

        Except with every other inexpensive video only device on market, and especially those designed for the task, it is even easier and more stealthy than Glass.
        Ex. http://www.newegg.com/Camcorde... [newegg.com]
        Those start around $10.
        For $45 you can get a pair of sunglasses that look very much like average sunglasses and have a 720p video recorder. http://www.newegg.com/Product/... [newegg.com] ... and I'm sure all those and more can be found cheaper elsewhere.

        This is not a Google Glass hack in any way, shape, or form. It would not surpr

    • In other news, professional behavioral psychologists teach a new dog old tricks.

      http://blogs.mcafee.com/consumer/smartphone-pin-codes

      http://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/06/30/GraphNeighbors-Sicherheit14.pdf

  • by Anonymous Coward
    FFS this was quite interesting enough without turning it into yet another fucking "completely different because it's done with Glass/3D printer" story.
  • This just in, video cameras can record you entering passwords, more at 11.

  • "I don't get it, almost all his passwords should be Shift+v! Why isn't this working?"

    "Read out says CTRL+v, boss."

    "Don't be stupid! It has to be Shift!"
  • by bl968 (190792) on Monday July 07, 2014 @06:58PM (#47403671) Journal

    Researchers Develop New Way To Steal Passwords Using a video camera

  • Change your on-screen keyboard layout. Then they'll need to see the screen to figure out what letter is at each position.

  • That you can capture passwords with a camera.

    WTF .. This place is really gone to the dumps..

  • Is this the "think of the children" glass-killer ?

  • Google must find a solution before it gets popular among hacking community and some people suffer.
  • Why doesn't someone just modify the snippet of code in the OS that displays the touch keys on the phone/tablet screen to place them in a new random order each time you unlock the device so that when you enter the PIN to unlock the device you never use the same finger placement pattern twice? That would also prevent analysis of scratches/smudges on the surface of the device as a means of cracking it.

    I know, I know, users would probably complain.

  • Use Dvorak.

    Problem solved.

Only God can make random selections.

Working...