Cybercriminals could tell what PIN you’re typing from over 100 feet away thanks to a new video recognition algorithm developed by researchers at the University of Massachusetts Lowell.
Computer science professor Xinwen Fu and several of his students tested the algorithms on a range of camera-powered devices including Google Glass, an iPhone 5 and a Logitech webcam, with remarkable results, according to Wired
The Google headgear could apparently detect a four digit passcode three meters away with 83% accuracy, about the same as a Samsung smartwatch. The webcam got it 92% of the time and the iPhone 5 managed it every time thanks to its sharp camera, according to the report.
“I think of this as a kind of alert about Google Glass, smartwatches, all these devices. If someone can take a video of you typing on the screen, you lose everything,” Fu told the tech site.
“Any camera works, but you can’t hold your iPhone over someone to do this. Because Glass is on your head, it’s perfect for this kind of sneaky attack.”
The algorithm works by detecting the shadows that fall from a user’s finger as they enter the PIN, meaning a snooper doesn’t even need to see the display.
Google, which has come under fire recently for the potential privacy invading characteristics of its futuristic head-mounted Glass-wear, rebuffed the findings.
“Unfortunately, stealing passwords by watching people as they type them…is nothing new,” a spokesman said.
“We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.”
It’s not just about Google Glass, though, according to the research. With a hi-def camera a user’s PIN could be stolen from as far away as 150 feet, according to the report.
The University of Massachusetts Lowell boffins are planning to release a commercial product on the back of their research.
After presenting their findings at Black Hat in August, they’re apparently set to release a Privacy Enhancing Keyboard (PEK) app to Google Play, which will randomize the layout of a phone/tablet lockscreen keyboard – rendering the algorithm virtually useless.
Charles Sweeney, CEO of web filtering company Bloxx, argued that the findings won’t be of major concern to the market, given that Google Glass and similar technologies are relatively rare at the moment.
“But their time for mass adoption will come and I think the research underlines the need for how we identify ourselves when logging into devices or applications to change,” he told Infosecurity.
“If we think that passwords are outdated and insecure now, the new technologies that signal the next era of digital will lay all their flaws bare. To embrace new technologies we need wholesale change – passwords have to go."