Security researchers from the US have shown that gadgets such as Google Glass can be used to covertly record PIN codes from distances of 10 feet – even if the target display is hidden from view.
Wired reports that the research team led by Professor Xinwen Fu of the University of Massachusetts Lowell used software that analysed the shadows and movements of peoples’ fingers in order to decipher PIN codes entered into tablets and smartphones.
A range of devices were tested including Google Glass (which recently went on sale in the UK), an iPhone 5, a Samsung smartwatch and a Logitech webcam. Video captured by Glass produced a correct four digit PIN from three metres away with 83 per cent accuracy (this was improved to more than 90 per cent with manual corrections) while the webcam was accurate 92 per cent of the time.
Similar software has been created in the past (including an iOS app) but this is the first instance of technology that can decipher PINS even when the display is unreadable. Fu explains that it does this by creating a reference image of the iPad’s screen and mapping the target’s finger movements onto this.
“Any camera works, but you can’t hold your iPhone over someone to do this,” Fu told Wired magazine. “Because Glass is on your head, it’s perfect for this kind of sneaky attack.”
In response to the research Google issued a statement saying: “Unfortunately, stealing passwords by watching people as they type them is nothing new. We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.”
Video: Privacy concerns over Google Glass
The research team were also able to record PIN codes using the same software from a distance of nearly 150 feet by using a more expensive camcorder with an optical zoom. With this high resolution equipment they were able to capture a target’s PIN from a fourth storey window on the other side of the road.
Thankfully, there is a solution to this problem: apps and add-ons that randomize the PIN entry pad’s layout. If the software doesn’t know which layout is being used then it can’t work out which buttons are being pressed. Fu and his team have even created such an add-on which they hope to release for Android devices in August as the Privacy Enhancing Keyboard or PEK.
“You can’t prevent people from taking videos,” Fu told Wired. “But for the research community, we need to think about how we design our authentication in a better way.”