Study Shows Wearable Devices Can Read Passwords
By recording on video the way your finger taps an iPad鈥檚 touch screen, university cyber-forensic experts have shown how hackers can quickly and easily crack your passcode without you knowing it.
07/09/2014
By Edwin L. Aguirre
A team of researchers at the university鈥檚 Cyber Forensics Laboratory, led by computer science Assoc. Prof. Xinwen Fu, has shown that thieves and hackers can use video from wearable devices such as to spy on unsuspecting people. Google Glass is a hands-free, head-mounted computer developed by the Internet search giant that allows one to capture high-def video via voice command. This is what makes the device discreet and stealthy to use, especially in crowded areas, notes Fu.
鈥淔or example, if you use online banking and you type in your PIN, the hacker can potentially access your bank account,鈥 he says.
Aside from Google Glass, Fu and his team also conducted extensive experiments using other video-recording devices such as a Logitech webcam, an iPhone 5 camera and a Samsung smartwatch.
Although the group will officially present its findings at this year鈥檚 cyber-security conference to be held in August in Las Vegas, news of the group鈥檚 groundbreaking investigation has already been featured in numerous media outlets worldwide, including , , the in London, the New Zealand Herald, Business Insider Singapore, and the .
Other members of Fu鈥檚 team include computer science Assoc. Prof. Benyuan Liu and Ph.D. students Qinggang Yue and Zupei Li, as well as collaborators from Towson University near Baltimore and Southeast University and University of Macau, both in China.
It鈥檚 All in the Finger
Fu and his co-researchers have developed a special video-recognition software that tracks the movement of a victim鈥檚 fingertip and uses the fingertip鈥檚 relative position on the touch screen to recognize the touch input.
鈥淲e carefully analyzed the shadow formed around the fingertip and applied computer-vision techniques to automatically track the touching fingertip and locate the touched points,鈥 explains Fu. 鈥淎n algorithm is then used to map the estimated touched points and correlate them to a reference image of the device鈥檚 keypad, enabling us to crack the passcode.鈥
The team tested the software using male and female subjects (different finger shapes and sizes, fingernail lengths and typing styles), as well as various camera viewing angles, distances and lighting conditions. In 30 experiments, the software could automatically recognize from Google Glass video more than 90 percent of iPad passcodes recorded from up to 10 feet away. Using video recorded with a Panasonic HD camcorder and 12x optical zoom from a distance of more than 140 feet, the success rate jumped to 100 percent.
The team also tried the technique not just on iPads but also on Google鈥檚 Nexus 7 tablet and the iPhone 5. The major vulnerability of such targeted devices is that the alphanumeric keys are always exactly in the same spot on the keypad.
鈥淎s a countermeasure, we鈥檝e designed an app called Privacy Enhancing Keyboard, or PEK, which displays a randomized keypad on Android mobile devices,鈥 says Fu. 鈥淯sers can use the PEK when typing in sensitive information such as passwords and then switch to a standard QWERTY keypad layout for typing normal text.鈥
He adds: 鈥淓xposing the dangers of video attacks will hopefully lead to more widespread solutions.鈥
In the meantime, Fu advises that when you unlock your iPad in public, take extra precaution by covering your finger with your free hand as you type in your passcode. It鈥檚 a simple procedure that can help you safeguard your personal data from prying eyes.