Exploiting the iPad's Glowing Keyboard

nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."

Oh great

[colinrichardday]

One more thing to warn my informatics students about.

Re:Oh great

[Darinbob]

But this is an old technique, you should have warned them about it anyway. Ie, someone looking over shoulder at the ATM to get PIN number, or watching you obliquely as you type a password, or telescopes watching your screen from the next building (or even picking up the noise from a CRT and decoding that, which has been done).

Re:Oh great

I always enter my pin number when I go to an atm machine.

Re:Oh great

[dzfoo]

Whoosh!

Re:Oh great

[Dog-Cow]

(Score:-1, Redundant)

I'm not sure if this is ironic or oddly appropriate.

Re:Oh great

[colinrichardday]

I've warned them about shoulder surfing, but I wasn't paranoid enough.

Re:Oh great

[Agent0013]

I think the whooshing sound went whoosh!

Re:Oh great

[dzfoo]

The parent poster made a joke.

Exhibit A:

I always enter my pin number when I go to an atm machine.

Notice how he is exaggerating the fact that the word "pin" already has "number" in it by repeating the error with "atm," which already has "machine" in it.

Your response seemed to imply that he didn't know this by pointing it out expressly.

          -dZ.

thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw

[For+a+Free+Internet]

Wewi naotallowkitkjnm0potkje nitoine notone ever yiyu betcha! goatsexunhj,q *N& and fuuuuuuuuuuuc83yh89ynkHPHPHPH penus dofrg!!!!!!!!!!!!

Security Enhancement

[PPH]

Enable the iPad camera and feed a video window on the login screen so you can see who's looking over your shoulder.

Re:Security Enhancement

[Kenja]

Its some suspicious looking guy! Man is he ugly, its almost as if.... oh, its me.

Re:Security Enhancement

[Racemaniac]

And all jokes have to be analyzed and have all their flaws explained

Re:Security Enhancement

[FhnuZoag]

Terrible racist ones? Sure.

It's not even that hard

To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?

Re:It's not even that hard

[FooAtWFU]

It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.

Re:It's not even that hard

[stephanruby]

On an Android tablet, that feature can be turned off (I assume it's the same on an iPad).

Re:It's not even that hard

[gnapster]

"Yes, of course Angry Birds is easier to play when the camera's pointing at your iPad. What? Don't be ridiculous! I'm not watching you type in your password, I'm playing Angry Birds. The nerve!"

Re:It's not even that hard

[grumbel]

What good would the reflected glow do? That only tells you that a key got pressed, not which one. The app in question here seems rather trivial, all it does is detect which key was pressed by looking for the blue highlight on the key, it still needs to have a completely free view onto the keyboard to see which key that was and when you have that free a view, you can see the users hand hitting the keys anyway. The only interesting thing seems to be that it is easier to automate the detection of the blue keys then it is detecting if a hand movement was a key-press or not.

Re:It's not even that hard

[perpenso]

It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.

You don't have to look at the password field. There is a much better, larger and more readable alternative. When you press a key an enlarged version of the key momentarily hovers above your finger to give you feedback on what you just pressed. Your finger is covering the smaller lettering on he keyboard and the glow.

Re:It's not even that hard

[mini+me]

No, I'm serious. You can't change the SMS text tone on the iphone,

Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.

Re:It's not even that hard

[wvmarle]

My Android phone allows the complete password to be visible when typing (which is convenient, and unless you're in a public space not really insecure to begin with), while by default it will only show the latest letter entered for a few seconds so you can see if it's the right one, hiding it after a few seconds, or when you enter the next character. So very similar to the iPhone.

I have never seen this as a serious security issue. I'd say it's not exactly worse than looking at someone typing on a physical keyboard.

Re:It's not even that hard

[Pieroxy]

Dude, Apple doesn't charge a dime for new OSes.
The rest is true of course.

Re:It's not even that hard

[rbrausse]

Schneier wrote some time ago about the advantages of visible passwords. One (small) shitstorm later he compiled an interesting pro/con list.

Re:It's not even that hard

[jo_ham]

I can change my SMS tone and I have an iPhone 3G (ie, comparatively ancient) I also have a totally custom ringtone (from TMBG) which I did not have to buy through iTunes or anything.

Also, Apple charges for iOS updates? Wow. That's news to me! Where did you find that bit of exclusive, new information?

Re:It's not even that hard

[jo_ham]

Except for all those other parts that are also untrue. Ie, the part about not being able to change SMS tones. That's what we call in the business as "a lie".

Re:It's not even that hard

[Sabriel]

I also have an iPhone 3G (3GS if we're being pedantic). So could you tell me how to *change* my SMS tone to one of my own choosing without jailbreaking the phone? Because all mine lets me do is *select* from the six tones that Apple put on the phone.

Re:It's not even that hard

[rbrausse]

I never owned an iphone but I was curious.

and WTF, the way to change tones seems to be:

1. jailbreak the thing
2. convert your custom tone to AIFF
3. ssh to the phone
4. in /system/library/audio/uisounds overwrite the original files with your own file

*very* convenient, I still can't believe it

Re:It's not even that hard

[Rigrig]

Because determining which part of the keyboard lights up is much easier than OCRing a much smaller character. A video could easily be low-res/blurry enough to make reading that character impossible, while the blue flashes would still be recognizable.

Re:It's not even that hard

[RMingin]

Wrong. The iPod and iPhone pop up the keys, the iPad only glows them blue for a split second. The only time an app will do that popping keys nonsense on an iPad is if it's not universal, and running in iPhone mode.

Re:It's not even that hard

[Dog-Cow]

The character is changed to a dot after a delay or after the next character is typed.

Re:It's not even that hard

[jo_ham]

You're going for the overly semantic argument - you know damn well that the OP was talking about the fact that everyone uses the Tritone sound. You can change it to another sound that is included with the phone, where the dictionary definition is "alter to become something else".

While you can't swap them for custom tones (unlike the ringtones) you can *change* them between the presets.

Re:It's not even that hard

[konohitowa]

I also have an iPhone 3G (3GS if we're being pedantic). So could you tell me how to *change* my SMS tone to one of my own choosing without jailbreaking the phone? Because all mine lets me do is *select* from the six tones that Apple put on the phone.

The iPhone doesn't even let you *change* times in the alarm application. All they let you do is *select* from a predefined set of times. Crazy.

Re:It's not even that hard

[interkin3tic]

Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.

Wrong. You can pick between the 6, as I noted before, and iOS5 will allow it, but you currently cannot add new ones without jailbreaking.

And again, why wasn't it there from the start. You're saying you couldn't even change between those 6 at one point? That's absurd.

Re:It's not even that hard

[interkin3tic]

You're going for the overly semantic argument - you know damn well that the OP was talking about the fact that everyone uses the Tritone sound.

That wasn't what I was talking about actually. If you notice, I wrote

"You want your iphone to play something besides the 6 included tones for a text message alert?"

6 preset options is nothing when nearly every other smartphone, and even many dumbphones, your options are infinite.

Also, Apple charges for iOS updates? Wow. That's news to me! Where did you find that bit of exclusive, new information?

It does appear I was outdated. They did charge for OS updates at one point, and I was sure I heard that initially iOS4 would cost, but Wiki informs me that as of OS4, apple was no longer charging for updates. I'm not sure if the ipad is included in that or if that too is outdated. But you're right. I maligned apple, they appear to have realized that charging for software updates is abusive, I'm so sorry I assumed that because they had sinned once, they would sin again.

Re:It's not even that hard

[Pieroxy]

There's a word here that describe what you're missing: Context.

Re:Incredibly not amazing...

[scdeimos]

Yes he is. Keep an eye on the top-left corner of the video while the program's running.

Does not one here have an iPad?

This whole story is completely false.

The iPad keybord is not black, neither does it do a blue glow.

iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

Re:Does not one here have an iPad?

[exomondo]

This whole story is completely false.

The iPad keybord is not black, neither does it do a blue glow.

iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

Have you looked at the keyboard of the lockscreen with an alphanumeric password? No? Of course not, because you posted this so you can't possibly have.

Article and Video is misleading

[doomy]

The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

Re:Article and Video is misleading

[exomondo]

The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

Unless you actually try the situation shown in the article.

Re:Article and Video is misleading

[doomy]

If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

Re:Article and Video is misleading

[exomondo]

If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

Do you have an ipad? Did you watch the video in the article? How about you have a look at the video, it shows that both your posts are wrong. Yes the keyboard is that colour and no the text doesn't flash up in the text entry box.

Re:Article and Video is misleading

[doomy]

Ah, let me point out what came out bogus to me when I read the PDF.

The person claims this on page 3:

We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.

Wait... This is where I have a problem, they claim that iOS masks the passwords by default and thus they have to use this other compelx method of capturing what keys are pressed. My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.

Re:Article and Video is misleading

[doomy]

Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

Re:Article and Video is misleading

[exomondo]

My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.

That's because it is already masked which is what he said, so of course the only way to capture it is to determine what keys were pressed. How else are you going to capture the password?

Re:Article and Video is misleading

[doomy]

No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.

Re:Article and Video is misleading

[exomondo]

Yes, I tested it all out

Oh come on, you started by saying the keyboard wasn't black!

On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

And you're running what version with what settings?

Re:Article and Video is misleading

[doomy]

Come over to here. We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.

Re:Article and Video is misleading

[exomondo]

No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.

And you are just running to the assumption that it is doctored video as opposed to say iOS5?

Re:Article and Video is misleading

[exomondo]

are you running iOS5?

Re:Article and Video is misleading

[doomy]

I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon

Re:Article and Video is misleading

[exomondo]

I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon

Probably because it's the new version of the OS and that even if they introduce this feature of masking the keys completely there is still a vulnerability. Anyway it seems you're just trying to pull this article apart with whatever you can, albiet with no actual facts. First it's the keyboard (incorrect), then the password showing up (which is likely in the next OS version) and also the fact that they state in the article that you can do this over long distances where obviously the spatial position of a blue keyboard flash can be calculated even when the key could not possibly be read.

Re:Article and Video is misleading

[doomy]

I'm sorry are you the person behind this video? Yes, I do like to pull an article apart to see the validity of the claims. As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that. Yes, I admit the keyboard thing was an err on my part, as I was reading his PDF I realized this was about non-simple passcode entry. As far as the password showing up, it doesn't happen on mine (and as others said doesn't happen on their iPad's as well). The letters that show up are huge, it's very very easy to read it off, and they stick around for quite a bit, I could take two screenshots of a given passcode letter before it becomes a mask. I do like what he made, it's cool. But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).

Re:Article and Video is misleading

[exomondo]

I'm sorry are you the person behind this video?

No, obviously if i was i would be able to say what the version the ipad in the video was running wouldn't i.

Yes, I do like to pull an article apart to see the validity of the claims.

But your claims don't seem to actually be refuting the article because you don't have any facts. I personally wouldn't go calling something 'bogus' or their claims 'incorrect' unless my personal experience was actually replicating that of the article, and you certainly cannot say that yours is.

As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that.

Your experience is clearly an invalid basis for you to be calling it bogus then isn't it.

The letters that show up are huge, it's very very easy to read it off

At what distance?

But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).

Or that much more likely he is using the new OS where they have added this fix to prevent people from reading the password directly and he is showing that it may not be enough.

Personally i think the study is far fetched anyway and could be mostly circumvented if they used the normal keyboard instead, or if you made sure to move around a little as you typed your password.

Re:Article and Video is misleading

[doomy]

I'm sorry you feel that way. Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?). Also It's already been claimed this is iOS 4.3.x above. No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.

Re:Article and Video is misleading

[exomondo]

Video is of IOS 4.3+ not 5. As the new version has a message center on that lock screen now.

but the message center is only there if you have messages.

Re:Article and Video is misleading

[exomondo]

Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?).

No, I don't run iOS5, i guess you could find plenty of videos and pictures if you google though.

Also It's already been claimed this is iOS 4.3.x above.

Yet the message center is only visible if you have messages, so that claim is baseless too.

No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.

What are these 'holes' that you're suggesting it has? Lets assume for a minute that the letters do show up, what difference does that actually make?
It's still clear your claims of these things being 'bogus' and 'incorrect' are baseless, im all for dissecting these kinds of studies but i would not start making claims unless i actually had some facts to back them up, that's just common sense.

Re:Article and Video is misleading

[doomy]

As I said before, if you read the PDF, he claims he started on this project cause the masked password entry was way too robust by default to exploit. I didn't feel that was the case as my own observation is different from what he claimed. The rest of what he did was excellent, not saying anything about that, I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.

Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos but it doesn't fit his article.

Re:Article and Video is misleading

[exomondo]

I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.

But that is obviously flawed given that you don't know what version of iOS he is running and you yourself can't say what the behavior is in iOS5.

Can you show a screen of the iOS you run and password entry?

Huh? I already told you I don't run iOS 5, I run 4.3.3 and I see the same thing as you do. So since I don't run iOS 5 I don't know if his assertion regarding password entry masking is correct or not, and neither can you. He even clarified for situations where the masking is not in effect that his solution likely works over greater distances (though he didn't specify what distances).

Re:Article and Video is misleading

[doomy]

The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device. And.... best of all it can be adapted to work on even physical keyboards. Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.

Re:Article and Video is misleading

[exomondo]

The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device.

Of course, that's hardly sensationalist though, when the tablet market is vastly dominated by the iPad id say that's the logical choice for a demonstration.

And.... best of all it can be adapted to work on even physical keyboards.

Not if they aren't lit, which most aren't. Yet as you say this works on almost all tablet computers assuming you have the keyboard layout.

Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.

So he shouldn't have done this because something different would have been more impressive...now you're just clutching at straws.

Re:Not just Apple

[lucm]

> Nice twisting of reality here to make a story, reporters. Touchscreen devices of all varieties have been doing this for years. Even PalmOS was inverting the onscreen keys as you pressed them

You are the one twisting reality. Good stuff on the iPad = invented by Apple. Bad stuff on the iPad = same problem with all the other products in the universe but the other products are actually worse because they had it before and nobody fixed it.

This being said, it is a good thing you posted this as AC, otherwise people could have stolen your Slashdot password just by watching you typing it on your iPad.

Re:Not just Apple

[EvanED]

And by contrast, MS has visual feedback disabled on their virtual keyboards on the tablet editions of Windows. (Primarily for convertible tablets... remember those?)

Bizarro world, huh?

Re:Not just Apple

[EvanED]

MS has visual feedback disabled on their virtual keyboards

Just for clarification, I meant to say "on password screens". It's off for the login screen and I think anything else the app reports is a password box.

Re:Put it to work for you

[jimmydevice]

DEviaNT sez you fail

Video may be bogus, but point is valid

[93+Escort+Wagon]

While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.

Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.

I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...

And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.

Re:Video may be bogus, but point is valid

[exomondo]

Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?)

It's the keyboard for the alphanumeric passcode lock screen entry, it's been that way for quite some time.

Re:Video may be bogus, but point is valid

[artor3]

I have an Android phone, but I assume my method works just as well for iOS and tablets.

Step 1) Store all of your passwords in KeePass
Step 2) Make a long and complex password for your KeePass file, using non-alphanumerics, whitespace, repeated characters and look-alike characters. No one looking over your shoulder will memorize "S0l|ll x####ffe3EE zxp5", unless they get hi-res video of you typing it in.
Step 3) Use the DropBox app to sync your password file to your phone
Step 4) Run the KeePass app in the background, and copy-paste passwords into the necessary fields.
Step 5) Make sure to turn KeePass off whenever not actively using your phone.
Step 6) Profit, by way of not having your bank account looted.

Only one password is ever visible, and it's complex enough that it would be near impossible to steal. Your other passwords can be just as complex as the KeePass one, since you won't need to memorize them. However, if you'd prefer they be easier to remember for times that you don't have access to KeePass, you can keep them simple. Regardless, the only way you'll ever get fucked is if you leave KeePass running, and someone manages to steal you phone in the five minute window before it turns itself off. And if you're extra paranoid, you can shorten that window to 30 seconds.

Re:Video may be bogus, but point is valid

[CProgrammer98]

I was about to say that you can't paste into the screen unlock field - but you can! - and no flashes, or text reveals.

This does however mean that you need the foresight to always copy the password into the paste buffer just before locking your iPad...

An old problem. Solution seems simple.

It's called a scrambled keypad.

http://www.pcscsecurity.com/scramble-keypad-sp-100

This can be easily implemented on iPad, iPhones, or any touch screen device. It probably should.

Re:An old problem. Solution seems simple.

[Agent0013]

From that page:

An audible alarm signals when a button is depressed

Wouldn't it be great if the alarm sound had a different tone for each number pressed, kind of like a telephone?

Scandleous!

[cultiv8]

OSS used for foul play, off with their heads!

Re:Put it to work for you

[AK+Marc]

"Luck" and "open"?

Very unimpressive demo video, keys easily visible

[AC-x]

That has to be one of the least impressive video demonstrations I've seen, it probably would have been quicker to frame advance the video manually and type the easily visible key presses by hand.

If this program could decode key presses from further away where keys are no-longer easily distinguishable by eye then I would be impressed.

Uh...

[Syberz]

Wouldn't it be easier and less obvious to just glance over someone's shoulder instead of standing there with your iPhone in your hand?

Or time coded keys

[Kamiza+Ikioi]

Better yet, using a time code like Google Authenticator. Ok, you have my password and my timecode. You now have 60 seconds to use it, and diddly squat after that. (Of course, if you just use a HEX time code and no password with non-visible shared secret, you're even more secure.)

The best security is something you can do regardless of who is watching, for instance even a USB time-coded key generator. Of course, your concern then is to keep the key generator from being stolen.

Re:RUBBER HOSE STILL #1 !!

[colinrichardday]

If it worked for Vinnie Barbarino, then why didn't John Travolta try that in Swordfish?