Study Shows Wearable Devices Can Read Passwords

UMass Lowell Image
By recording on video the way your finger taps an iPad’s touch screen, university cyber-forensic experts have shown how hackers can quickly and easily crack your passcode without you knowing it.

07/09/2014
By Edwin L. Aguirre

People do it all the time — on campus, at conferences, libraries, coffee shops, food courts, airport lounges, hotel lobbies and public parks. Users unlock their iPads by entering their four-digit security passcode on the mobile device’s touch screen keypad without any clue that somebody might be video-recording them from afar. Chances are, the victim can’t see the snooper, but the crook can certainly capture the movement of the victim’s typing finger in order to steal his or her personal information.

A team of researchers at the university’s Cyber Forensics Laboratory, led by computer science Assoc. Prof. Xinwen Fu, has shown that thieves and hackers can use video from wearable devices such as Google Glass to spy on unsuspecting people. Google Glass is a hands-free, head-mounted computer developed by the Internet search giant that allows one to capture high-def video via voice command. This is what makes the device discreet and stealthy to use, especially in crowded areas, notes Fu.

“For example, if you use online banking and you type in your PIN, the hacker can potentially access your bank account,” he says.

Aside from Google Glass, Fu and his team also conducted extensive experiments using other video-recording devices such as a Logitech webcam, an iPhone 5 camera and a Samsung smartwatch.

Although the group will officially present its findings at this year’s Black Hat USA cyber-security conference to be held in August in Las Vegas, news of the group’s groundbreaking investigation has already been featured in numerous media outlets worldwide, including CNN, CNBC, the Daily Mail in London, the New Zealand Herald, Business Insider Singapore, WIRED and the Huffington Post.

Other members of Fu’s team include computer science Assoc. Prof. Benyuan Liu and Ph.D. students Qinggang Yue and Zupei Li, as well as collaborators from Towson University near Baltimore and Southeast University and University of Macau, both in China.

It’s All in the Finger

Fu and his co-researchers have developed a special video-recognition software that tracks the movement of a victim’s fingertip and uses the fingertip’s relative position on the touch screen to recognize the touch input.

“We carefully analyzed the shadow formed around the fingertip and applied computer-vision techniques to automatically track the touching fingertip and locate the touched points,” explains Fu. “An algorithm is then used to map the estimated touched points and correlate them to a reference image of the device’s keypad, enabling us to crack the passcode.”

The team tested the software using male and female subjects (different finger shapes and sizes, fingernail lengths and typing styles), as well as various camera viewing angles, distances and lighting conditions. In 30 experiments, the software could automatically recognize from Google Glass video more than 90 percent of iPad passcodes recorded from up to 10 feet away. Using video recorded with a Panasonic HD camcorder and 12x optical zoom from a distance of more than 140 feet, the success rate jumped to 100 percent.

The team also tried the technique not just on iPads but also on Google’s Nexus 7 tablet and the iPhone 5. The major vulnerability of such targeted devices is that the alphanumeric keys are always exactly in the same spot on the keypad.

“As a countermeasure, we’ve designed an app called Privacy Enhancing Keyboard, or PEK, which displays a randomized keypad on Android mobile devices,” says Fu. “Users can use the PEK when typing in sensitive information such as passwords and then switch to a standard QWERTY keypad layout for typing normal text.”

He adds: “Exposing the dangers of video attacks will hopefully lead to more widespread solutions.”

In the meantime, Fu advises that when you unlock your iPad in public, take extra precaution by covering your finger with your free hand as you type in your passcode. It’s a simple procedure that can help you safeguard your personal data from prying eyes.