Google Glass Can Be Used To Steal Your Passcodes
Criticism of Google Glass has become so habitual I almost feel guilty smirking at each new story that makes Glass look even worse, again. Google is having one of the worst marketing campaigns in its history, and only a small fraction of society is willing to embrace the new technology from the big G. The rest of humans seem to cling to the outdated, rudimentary and purely nominal notion of privacy.
This time it is serious, though. Google Glass's capability to surreptitiously record everything around it makes it possible to steal anyone's passcode, even if Glass does not record the device's screen with the numbers. Security researchers and students at the University of Massachusetts developed software capable of automatically deciphering the passcode of users from the footage captured by Google Glass of people unlocking their smartphones, even in cases when the screen of the device was far from being visible.
What the program needs is the finger moving pattern to hack the code. In fact, the program can even reproduce a short text message or email, so a Glass wearer does not have to be peeking from behind your shoulder. He or she can be safely across the table, or stand a few meters away from you, without even looking at you. If you are within the camera's angle, and it's on, which you never know, its footage is enough to hack your passcode and gain access to your device. "We could get your bank account password," Xinwen Fu said.
Again, the face-mounted camera results as a major privacy, and now security, threat. It would be fair to mention the same software works with footage from webcams, smartphone cameras, camcorders and surveillance cameras, but Glass seems to be the most invading of them, taking shoulder surfing to the new heights of efficiency.
Image Source: mireview.com
Three meters away from the victim, the software delivers over 90% accuracy in reproducing 4-digit passcode entered through iPhone's QWERTY. Camcorders deliver even more impressive results - 44 meters away, on the fourth floor balcony and across the street from the victim, an attacker with the camcorder was able to capture the footage clear enough for the program to deliver 100% accuracy in deciphering the passcode.
The main challenges here is to identify the device itself - manufacturer, screen orientation, have a more or less clear view of the victim's fingers position when tapping, and the keyboard layout. The program analyzes these parameters in no time and delivers impressive results with a high rate of accuracy. iOS devices' QWERTY seems to be at a high hack risk due to its universal nature for all iOS devices.
Since the findings reported by Qinggang Yue, Zhen Ling and Xinwen Fu at the Black Hat Conference involve more than the relatively rare Google Glass, but a wide scope of camera-enabled devices, the threat is real. The same researchers suggested users use a different keyboard, and even introduced a project of their own - the Privacy Enhancing Keyboard, which generates a randomized keyboard layout for Android devices. Changing the keyboard layout from the predictable QWERTY solves the problem for now. Another piece of advice Yue gave to users is simply put your other hand in front of your device to conceal your finger movement, or enter your passcode in private.
Google Glass users, in the meantime, seem to be generating more animus and reasons to keep the Glass in their pockets when attending public places. It's a funny quibble - people want to protect their privacy from Glass in public places. This Gawker piece tells a story of an infamous Glass explorer who got on the news for being victimized by Glass haters. It turns out the woman had a restraining order for peeping on her neighbors with a recording smartphone in 2012, which reminds me of one of the early, and rather mediocre, Sharon Stone movies Sliver, where Sharon’s boyfriend turns out to be a voyeur peeking on his renters. The end scene is brilliantly applicable to Glass - Sharon shoots the entire gun magazine into William Baldwin's $6.000.000 surveillance system, and, with that unique Basic Instinct look on her face, tells him 'Get a life.'
Sources: Technology Review, PC Mag, CNN.