Exploiting the iPad's Glowing Keyboard

nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."

thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw

[For+a+Free+Internet]

Wewi naotallowkitkjnm0potkje nitoine notone ever yiyu betcha! goatsexunhj,q *N& and fuuuuuuuuuuuc83yh89ynkHPHPHPH penus dofrg!!!!!!!!!!!!

Security Enhancement

[PPH]

Enable the iPad camera and feed a video window on the login screen so you can see who's looking over your shoulder.

Re:Security Enhancement

[Kenja]

Its some suspicious looking guy! Man is he ugly, its almost as if.... oh, its me.

It's not even that hard

To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?

Re:It's not even that hard

[grumbel]

What good would the reflected glow do? That only tells you that a key got pressed, not which one. The app in question here seems rather trivial, all it does is detect which key was pressed by looking for the blue highlight on the key, it still needs to have a completely free view onto the keyboard to see which key that was and when you have that free a view, you can see the users hand hitting the keys anyway. The only interesting thing seems to be that it is easier to automate the detection of the blue keys then it is detecting if a hand movement was a key-press or not.

Re:It's not even that hard

[mini+me]

No, I'm serious. You can't change the SMS text tone on the iphone,

Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.

Re:It's not even that hard

[rbrausse]

Schneier wrote some time ago about the advantages of visible passwords. One (small) shitstorm later he compiled an interesting pro/con list.

Re:It's not even that hard

[Rigrig]

Because determining which part of the keyboard lights up is much easier than OCRing a much smaller character. A video could easily be low-res/blurry enough to make reading that character impossible, while the blue flashes would still be recognizable.

Video may be bogus, but point is valid

[93+Escort+Wagon]

While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.

Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.

I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...

And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.