Exploiting the iPad's Glowing Keyboard 127
nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."
Incredibly not amazing... (Score:0, Insightful)
This is like a hello world of opencv programs...color blob detection. Unless you're stealing shitloads of passwords...which probably isn't the case...you could just as easily watch the slowed down video. He's not even extracting what keys they're typing!?
It's not even that hard (Score:4, Insightful)
To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?
Re:Not just Apple (Score:2, Insightful)
> Nice twisting of reality here to make a story, reporters. Touchscreen devices of all varieties have been doing this for years. Even PalmOS was inverting the onscreen keys as you pressed them
You are the one twisting reality. Good stuff on the iPad = invented by Apple. Bad stuff on the iPad = same problem with all the other products in the universe but the other products are actually worse because they had it before and nobody fixed it.
This being said, it is a good thing you posted this as AC, otherwise people could have stolen your Slashdot password just by watching you typing it on your iPad.
Video may be bogus, but point is valid (Score:4, Insightful)
While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.
Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.
I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...
And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.
Re:It's not even that hard (Score:2, Insightful)
Dude, Apple doesn't charge a dime for new OSes.
The rest is true of course.