Shoulder surfing, the act of secretly watching someone as they type in their password, has always been a popular attack method used in stealing information. It can be as simple as watching the person in front of you type in their ATM PIN code or as elaborate as setting up video cameras with large telephoto lenses in order to get the information from a long distance. Now, thanks to a security researcher in South Africa, there’s an application that can visually gather passwords from iPad users.
The app uses Intel’s OpenCV library, a platform that is used for visual recognition, to detect the blue hue of each virtual key that the victim presses. It is able to determine what key is pressed by applying the X/Y coordinates from the blue hue to a mapping of where the keys are located. All it requires is video footage of a user typing on the iPad"s keyboard and could be used for not only passwords, but also reading emails and text messages as they are being sent.
There has always been a debate about how much security should be applied to the screen. Bruce Schneier, for example, once argued that replacing keystrokes with asterisks on the screen had a negative impact on security. His reasoning was that it trains users to select passwords that are simpler to remember because many people rely on the visual results on the screen to know that what they’ve typed is correct. In this context, although the password is being properly masked, the visual clue is the actual key being pressed. Although turning this feature off would improve security, it would make it more difficult for the end user to know what was typed.
Although this application will probably not negatively impact the security of most users, it’s a good reminder to be aware of your surroundings when using computing devices out in the open.