A new computer vision attack could allow Google Glass wearers to steal passwords typed in on nearby tablet or smartphones - even if the attackers do not have a clear view of the screen, according to a report by CNN.
The technique could allow attackers to crack 90% of passcodes from up to ten feet distance - and regardless of whether the screen is obscured by glare. The distance is even bigger if an attacker uses a hi-def camcorder - up to 150ft, according to Wired.
If they take a video, you lose everything
“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Dr Xinwen Fu of University of Massachusetts in Lowell.
“If someone can take a video of you typing on the screen, you lose everything.”
Instead of “watching” the screen, the software developed by Dr tracks the user’s finger in video recordings - tracking the fingertip’s relative position to the screen. The software harvests a pattern of “touch points” where the finger has contacted the screen, and works out passwords based on that.
Fu will present his findings at Black Hat USA 2014, in Las Vegas on August 6 and 7.
The major thing is the angle
The attack is not limited to simple PIN codes. "We could get your bank account password," Fu told CNN. The security expert says that the ability to adjust the angle (easy with Google Glass’s head-mounted camera) offers attackers an edge.
"The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video ... they see your finger, the password is stolen," Fu said.
Fu and his colleagues will show off a Privacy Enhancing Keyboard application for Android devices, which pops up a randomized keyboard whenever a password is required, but reverts to a normal QWERTY keyboard when not in use.
The researchers showed off the attack working when applied to Apple’s iPad, a Google Nexus 7 tablet, and an iPhone 5.
Fu says that his research is substantially different from previous attacks based on recognising touch inputs - as it does not use a language model to estimate touched keys. It relies purely on computer vision tools applied to an image of the finger using the touchscreen.
Fu says that the technique works quickly and unobtrusively enough to be a genuine concern in public arenas such as conferences.
“We are interested in scenarios such as conferences and similar gathering places where a Google Glass, webcam, or smartphone can be used for a stealthy attack,” he says.