Forgot your password?
typodupeerror
Handhelds Security Apple

Exploiting the iPad's Glowing Keyboard 127

Posted by timothy
from the easy-solution-turn-off-screen dept.
nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."
This discussion has been archived. No new comments can be posted.

Exploiting the iPad's Glowing Keyboard

Comments Filter:
  • One more thing to warn my informatics students about.

    • by Darinbob (1142669)

      But this is an old technique, you should have warned them about it anyway. Ie, someone looking over shoulder at the ATM to get PIN number, or watching you obliquely as you type a password, or telescopes watching your screen from the next building (or even picking up the noise from a CRT and decoding that, which has been done).

      • I've warned them about shoulder surfing, but I wasn't paranoid enough.

  • by For a Free Internet (1594621) on Thursday July 14, 2011 @11:26PM (#36771562)

    Wewi naotallowkitkjnm0potkje nitoine notone ever yiyu betcha! goatsexunhj,q *N& and fuuuuuuuuuuuc83yh89ynkHPHPHPH penus dofrg!!!!!!!!!!!!

  • by PPH (736903) on Thursday July 14, 2011 @11:32PM (#36771598)

    Enable the iPad camera and feed a video window on the login screen so you can see who's looking over your shoulder.

  • by Anonymous Coward on Thursday July 14, 2011 @11:36PM (#36771620)

    To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?

    • by FooAtWFU (699187)
      It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.
      • by gnapster (1401889)
        "Yes, of course Angry Birds is easier to play when the camera's pointing at your iPad. What? Don't be ridiculous! I'm not watching you type in your password, I'm playing Angry Birds. The nerve!"
      • by grumbel (592662)

        What good would the reflected glow do? That only tells you that a key got pressed, not which one. The app in question here seems rather trivial, all it does is detect which key was pressed by looking for the blue highlight on the key, it still needs to have a completely free view onto the keyboard to see which key that was and when you have that free a view, you can see the users hand hitting the keys anyway. The only interesting thing seems to be that it is easier to automate the detection of the blue keys

      • by perpenso (1613749)

        It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.

        You don't have to look at the password field. There is a much better, larger and more readable alternative. When you press a key an enlarged version of the key momentarily hovers above your finger to give you feedback on what you just pressed. Your finger is covering the smaller lettering on he keyboard and the glow.

        • by RMingin (985478)
          Wrong. The iPod and iPhone pop up the keys, the iPad only glows them blue for a split second. The only time an app will do that popping keys nonsense on an iPad is if it's not universal, and running in iPhone mode.
    • On an Android tablet, that feature can be turned off (I assume it's the same on an iPad).

    • by wvmarle (1070040)

      My Android phone allows the complete password to be visible when typing (which is convenient, and unless you're in a public space not really insecure to begin with), while by default it will only show the latest letter entered for a few seconds so you can see if it's the right one, hiding it after a few seconds, or when you enter the next character. So very similar to the iPhone.

      I have never seen this as a serious security issue. I'd say it's not exactly worse than looking at someone typing on a physical k

    • by Rigrig (922033)
      Because determining which part of the keyboard lights up is much easier than OCRing a much smaller character. A video could easily be low-res/blurry enough to make reading that character impossible, while the blue flashes would still be recognizable.
    • by Dog-Cow (21281)

      The character is changed to a dot after a delay or after the next character is typed.

    • Better yet, using a time code like Google Authenticator. Ok, you have my password and my timecode. You now have 60 seconds to use it, and diddly squat after that. (Of course, if you just use a HEX time code and no password with non-visible shared secret, you're even more secure.)

      The best security is something you can do regardless of who is watching, for instance even a USB time-coded key generator. Of course, your concern then is to keep the key generator from being stolen.

  • by Anonymous Coward

    This whole story is completely false.

    The iPad keybord is not black, neither does it do a blue glow.

    iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

    • by exomondo (1725132)

      This whole story is completely false.

      The iPad keybord is not black, neither does it do a blue glow.

      iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

      Have you looked at the keyboard of the lockscreen with an alphanumeric password? No? Of course not, because you posted this so you can't possibly have.

  • The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.
    • by exomondo (1725132)

      The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

      Unless you actually try the situation shown in the article.

      • by doomy (7461)
        If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.
        • by exomondo (1725132)

          If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

          Do you have an ipad? Did you watch the video in the article? How about you have a look at the video, it shows that both your posts are wrong. Yes the keyboard is that colour and no the text doesn't flash up in the text entry box.

          • by doomy (7461)
            Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.
            • by exomondo (1725132)

              Yes, I tested it all out

              Oh come on, you started by saying the keyboard wasn't black!

              On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

              And you're running what version with what settings?

              • by doomy (7461)
                Come over to here [slashdot.org]. We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.
  • by 93 Escort Wagon (326346) on Friday July 15, 2011 @12:26AM (#36771890)

    While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.

    Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.

    I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...

    And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.

    • by exomondo (1725132)

      Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?)

      It's the keyboard for the alphanumeric passcode lock screen entry, it's been that way for quite some time.

    • by artor3 (1344997)

      I have an Android phone, but I assume my method works just as well for iOS and tablets.

      Step 1) Store all of your passwords in KeePass
      Step 2) Make a long and complex password for your KeePass file, using non-alphanumerics, whitespace, repeated characters and look-alike characters. No one looking over your shoulder will memorize "S0l|ll x####ffe3EE zxp5", unless they get hi-res video of you typing it in.
      Step 3) Use the DropBox app to sync your password file to your phone
      Step 4) Run the KeePass app in th

      • I was about to say that you can't paste into the screen unlock field - but you can! - and no flashes, or text reveals.

        This does however mean that you need the foresight to always copy the password into the paste buffer just before locking your iPad...

  • by Anonymous Coward

    It's called a scrambled keypad.

    http://www.pcscsecurity.com/scramble-keypad-sp-100 [pcscsecurity.com]

    This can be easily implemented on iPad, iPhones, or any touch screen device. It probably should.

    • by Agent0013 (828350)

      From that page:

      An audible alarm signals when a button is depressed

      Wouldn't it be great if the alarm sound had a different tone for each number pressed, kind of like a telephone?

  • OSS used for foul play, off with their heads!
  • That has to be one of the least impressive video demonstrations I've seen, it probably would have been quicker to frame advance the video manually and type the easily visible key presses by hand.

    If this program could decode key presses from further away where keys are no-longer easily distinguishable by eye then I would be impressed.

  • by Syberz (1170343)
    Wouldn't it be easier and less obvious to just glance over someone's shoulder instead of standing there with your iPhone in your hand?

There are worse things in life than death. Have you ever spent an evening with an insurance salesman? -- Woody Allen

Working...