Exploiting the iPad's Glowing Keyboard 127
nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."
Oh great (Score:2)
One more thing to warn my informatics students about.
Re: (Score:2)
But this is an old technique, you should have warned them about it anyway. Ie, someone looking over shoulder at the ATM to get PIN number, or watching you obliquely as you type a password, or telescopes watching your screen from the next building (or even picking up the noise from a CRT and decoding that, which has been done).
Re: (Score:2)
I've warned them about shoulder surfing, but I wasn't paranoid enough.
Re: (Score:1)
I always enter my pin number when I go to an atm machine.
Re: (Score:2)
Whoosh!
Re: (Score:1)
Re: (Score:2)
The parent poster made a joke.
Exhibit A:
Notice how he is exaggerating the fact that the word "pin" already has "number" in it by repeating the error with "atm," which already has "machine" in it.
Your response seemed to imply that he didn't know this by pointing it out expressly.
-dZ.
Re: (Score:1)
(Score:-1, Redundant)
I'm not sure if this is ironic or oddly appropriate.
thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw (Score:3, Funny)
Wewi naotallowkitkjnm0potkje nitoine notone ever yiyu betcha! goatsexunhj,q *N& and fuuuuuuuuuuuc83yh89ynkHPHPHPH penus dofrg!!!!!!!!!!!!
Security Enhancement (Score:5, Funny)
Enable the iPad camera and feed a video window on the login screen so you can see who's looking over your shoulder.
Re:Security Enhancement (Score:5, Funny)
Re: (Score:2)
And all jokes have to be analyzed and have all their flaws explained
Re: (Score:2)
Re: (Score:2)
It's not even that hard (Score:4, Insightful)
To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
What good would the reflected glow do? That only tells you that a key got pressed, not which one. The app in question here seems rather trivial, all it does is detect which key was pressed by looking for the blue highlight on the key, it still needs to have a completely free view onto the keyboard to see which key that was and when you have that free a view, you can see the users hand hitting the keys anyway. The only interesting thing seems to be that it is easier to automate the detection of the blue keys
Re: (Score:2)
It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.
You don't have to look at the password field. There is a much better, larger and more readable alternative. When you press a key an enlarged version of the key momentarily hovers above your finger to give you feedback on what you just pressed. Your finger is covering the smaller lettering on he keyboard and the glow.
Re: (Score:2)
Re: (Score:2)
On an Android tablet, that feature can be turned off (I assume it's the same on an iPad).
Re:It's not even that hard (Score:4, Informative)
Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.
Re: (Score:1)
You can change it, but only between the limited ringtones made available by Apple. You cannot personalize it with your own.
Re: (Score:2)
Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.
Wrong [idg.com.au]. You can pick between the 6, as I noted before, and iOS5 will allow it, but you currently cannot add new ones without jailbreaking.
And again, why wasn't it there from the start. You're saying you couldn't even change between those 6 at one point? That's absurd.
Re: (Score:2, Insightful)
Dude, Apple doesn't charge a dime for new OSes.
The rest is true of course.
Re: (Score:2)
Except for all those other parts that are also untrue. Ie, the part about not being able to change SMS tones. That's what we call in the business as "a lie".
Re: (Score:1)
If you read the full post, it is referring to the fact that you cannot *change* the iphone's SMS tones. You can *select* between the six tones Apple provides, but you cannot *change* any of those tones to one of your own choosing without first jailbreaking the phone.
Re: (Score:2)
There's a word here that describe what you're missing: Context.
Re: (Score:2)
I can change my SMS tone and I have an iPhone 3G (ie, comparatively ancient) I also have a totally custom ringtone (from TMBG) which I did not have to buy through iTunes or anything.
Also, Apple charges for iOS updates? Wow. That's news to me! Where did you find that bit of exclusive, new information?
Re: (Score:2)
I also have an iPhone 3G (3GS if we're being pedantic). So could you tell me how to *change* my SMS tone to one of my own choosing without jailbreaking the phone? Because all mine lets me do is *select* from the six tones that Apple put on the phone.
Re: (Score:2, Informative)
I never owned an iphone but I was curious.
and WTF, the way to change tones seems to be:
1. jailbreak the thing /system/library/audio/uisounds overwrite the original files with your own file
2. convert your custom tone to AIFF
3. ssh to the phone
4. in
*very* convenient, I still can't believe it
Re: (Score:2)
You're going for the overly semantic argument - you know damn well that the OP was talking about the fact that everyone uses the Tritone sound. You can change it to another sound that is included with the phone, where the dictionary definition is "alter to become something else".
While you can't swap them for custom tones (unlike the ringtones) you can *change* them between the presets.
Re: (Score:2)
You're going for the overly semantic argument - you know damn well that the OP was talking about the fact that everyone uses the Tritone sound.
That wasn't what I was talking about actually. If you notice, I wrote
"You want your iphone to play something besides the 6 included tones for a text message alert?"
6 preset options is nothing when nearly every other smartphone, and even many dumbphones, your options are infinite.
Also, Apple charges for iOS updates? Wow. That's news to me! Where did you find that bit of exclusive, new information?
It does appear I was outdated. They did charge for OS updates at one point, and I was sure I heard that initially iOS4 would cost, but Wiki informs me that as of OS4, apple was no longer charging for updates. I'm not sure if the ipad is included in that [wired.com] or if that too is outdated. But you're right. I maligned apple, th
Re: (Score:2)
I also have an iPhone 3G (3GS if we're being pedantic). So could you tell me how to *change* my SMS tone to one of my own choosing without jailbreaking the phone? Because all mine lets me do is *select* from the six tones that Apple put on the phone.
The iPhone doesn't even let you *change* times in the alarm application. All they let you do is *select* from a predefined set of times. Crazy.
Re: (Score:2)
My Android phone allows the complete password to be visible when typing (which is convenient, and unless you're in a public space not really insecure to begin with), while by default it will only show the latest letter entered for a few seconds so you can see if it's the right one, hiding it after a few seconds, or when you enter the next character. So very similar to the iPhone.
I have never seen this as a serious security issue. I'd say it's not exactly worse than looking at someone typing on a physical k
Re:It's not even that hard (Score:4, Interesting)
Schneier wrote some time ago about the advantages of visible passwords [schneier.com]. One (small) shitstorm later he compiled an interesting pro/con list [schneier.com].
Re: (Score:3)
Re: (Score:1)
The character is changed to a dot after a delay or after the next character is typed.
Or time coded keys (Score:2)
Better yet, using a time code like Google Authenticator. Ok, you have my password and my timecode. You now have 60 seconds to use it, and diddly squat after that. (Of course, if you just use a HEX time code and no password with non-visible shared secret, you're even more secure.)
The best security is something you can do regardless of who is watching, for instance even a USB time-coded key generator. Of course, your concern then is to keep the key generator from being stolen.
Re: (Score:2, Insightful)
> Nice twisting of reality here to make a story, reporters. Touchscreen devices of all varieties have been doing this for years. Even PalmOS was inverting the onscreen keys as you pressed them
You are the one twisting reality. Good stuff on the iPad = invented by Apple. Bad stuff on the iPad = same problem with all the other products in the universe but the other products are actually worse because they had it before and nobody fixed it.
This being said, it is a good thing you posted this as AC, otherwise
Re: (Score:1)
And by contrast, MS has visual feedback disabled on their virtual keyboards on the tablet editions of Windows. (Primarily for convertible tablets... remember those?)
Bizarro world, huh?
Re: (Score:1)
MS has visual feedback disabled on their virtual keyboards
Just for clarification, I meant to say "on password screens". It's off for the login screen and I think anything else the app reports is a password box.
Does not one here have an iPad? (Score:1)
This whole story is completely false.
The iPad keybord is not black, neither does it do a blue glow.
iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.
Re: (Score:2)
This whole story is completely false.
The iPad keybord is not black, neither does it do a blue glow.
iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.
Have you looked at the keyboard of the lockscreen with an alphanumeric password? No? Of course not, because you posted this so you can't possibly have.
Article and Video is misleading (Score:2)
Re: (Score:2)
The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.
Unless you actually try the situation shown in the article.
Re: (Score:2)
Re: (Score:2)
If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.
Do you have an ipad? Did you watch the video in the article? How about you have a look at the video, it shows that both your posts are wrong. Yes the keyboard is that colour and no the text doesn't flash up in the text entry box.
Re: (Score:2)
Re: (Score:2)
Yes, I tested it all out
Oh come on, you started by saying the keyboard wasn't black!
On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.
And you're running what version with what settings?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The person claims this on page 3:
We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.
Wait... T
Re: (Score:2)
My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.
That's because it is already masked which is what he said, so of course the only way to capture it is to determine what keys were pressed. How else are you going to capture the password?
Re: (Score:2)
Re: (Score:2)
No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate [imgur.com] (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.
And you are just running to the assumption that it is doctored video as opposed to say iOS5?
Re: (Score:2)
Re: (Score:2)
I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon [imgur.com]
Probably because it's the new version of the OS and that even if they introduce this feature of masking the keys completely there is still a vulnerability. Anyway it seems you're just trying to pull this article apart with whatever you can, albiet with no actual facts. First it's the keyboard (incorrect), then the password showing up (which is likely in the next OS version) and also the fact that they state in the article that you can do this over long distances where obviously the spatial position of a blu
Re: (Score:2)
Re: (Score:2)
I'm sorry are you the person behind this video?
No, obviously if i was i would be able to say what the version the ipad in the video was running wouldn't i.
Yes, I do like to pull an article apart to see the validity of the claims.
But your claims don't seem to actually be refuting the article because you don't have any facts. I personally wouldn't go calling something 'bogus' or their claims 'incorrect' unless my personal experience was actually replicating that of the article, and you certainly cannot say that yours is.
As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that.
Your experience is clearly an invalid basis for you to be calling it bogus then isn't it.
The letters that show up are huge, it's very very easy to read it off
At what distance?
But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).
Or
Re: (Score:2)
Re: (Score:2)
Video is of IOS 4.3+ not 5. As the new version has a message center on that lock screen now.
but the message center is only there if you have messages.
Re: (Score:2)
Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?).
No, I don't run iOS5, i guess you could find plenty of videos and pictures if you google though.
Also It's already been claimed this is iOS 4.3.x above.
Yet the message center is only visible if you have messages, so that claim is baseless too.
No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.
What are these 'holes' that you're suggesting it has? Lets assume for a minute that the letters do show up, what difference does that actually make?
It's still clear your claims of these things being 'bogus' and 'incorrect' are baseless, im all for dissecting these kinds of studies but i would not start making claims unless
Re: (Score:2)
Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos [youtube.com] but it does
Re: (Score:2)
I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.
But that is obviously flawed given that you don't know what version of iOS he is running and you yourself can't say what the behavior is in iOS5.
Can you show a screen of the iOS you run and password entry?
Huh? I already told you I don't run iOS 5, I run 4.3.3 and I see the same thing as you do. So since I don't run iOS 5 I don't know if his assertion regarding password entry masking is correct or not, and neither can you. He even clarified for situations where the masking is not in effect that his solution likely works over greater distances (though he didn't specif
Re: (Score:2)
Re: (Score:2)
The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device.
Of course, that's hardly sensationalist though, when the tablet market is vastly dominated by the iPad id say that's the logical choice for a demonstration.
And.... best of all it can be adapted to work on even physical keyboards.
Not if they aren't lit, which most aren't. Yet as you say this works on almost all tablet computers assuming you have the keyboard layout.
Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.
So he shouldn't have done this because something different would have been more impressive...now you're just clutching at straws.
Re: (Score:1)
Jesus rude fuck is rude... He was polite to you the whole time, you tried flame-bating him. Even when you agree with what he said you you flamed him at the end. What a jackass. I'm impressed the low ID kept his cool. Also that's iOS 4.3.3 with jailbreak mod that hides crap.
The guy who called the study 'bogus' and 'incorrect' without any facts while making numerous errors on his own part? That's about as much of a jackass as you can be. pfftt...and nice try, pretty obvious you're just posting as AC, lame.
Video may be bogus, but point is valid (Score:4, Insightful)
While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.
Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.
I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...
And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.
Re: (Score:2)
Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?)
It's the keyboard for the alphanumeric passcode lock screen entry, it's been that way for quite some time.
Re: (Score:2)
I have an Android phone, but I assume my method works just as well for iOS and tablets.
Step 1) Store all of your passwords in KeePass
Step 2) Make a long and complex password for your KeePass file, using non-alphanumerics, whitespace, repeated characters and look-alike characters. No one looking over your shoulder will memorize "S0l|ll x####ffe3EE zxp5", unless they get hi-res video of you typing it in.
Step 3) Use the DropBox app to sync your password file to your phone
Step 4) Run the KeePass app in th
Re: (Score:2)
I was about to say that you can't paste into the screen unlock field - but you can! - and no flashes, or text reveals.
This does however mean that you need the foresight to always copy the password into the paste buffer just before locking your iPad...
An old problem. Solution seems simple. (Score:1)
It's called a scrambled keypad.
http://www.pcscsecurity.com/scramble-keypad-sp-100 [pcscsecurity.com]
This can be easily implemented on iPad, iPhones, or any touch screen device. It probably should.
Re: (Score:1)
From that page:
An audible alarm signals when a button is depressed
Wouldn't it be great if the alarm sound had a different tone for each number pressed, kind of like a telephone?
Scandleous! (Score:2)
Very unimpressive demo video, keys easily visible (Score:2)
That has to be one of the least impressive video demonstrations I've seen, it probably would have been quicker to frame advance the video manually and type the easily visible key presses by hand.
If this program could decode key presses from further away where keys are no-longer easily distinguishable by eye then I would be impressed.
Uh... (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
A rubber hose is the fast, most sure-fire way to get any info out of any body, dead or alive !!
Up your nose with a rubber hose brings back such fond mammories !!
You have a rather strange sex life. And thank you, no, you don't have to add any additional details.
Re: (Score:2)
If it worked for Vinnie Barbarino, then why didn't John Travolta try that in Swordfish?