iPad App Reads Passwords, Exposes Flaws in Asterisk Protection
By Elizabeth Fish
When typing in your sensitive information into a website, you know that pretty much every site always mask passwords. One reason for this is to stop people from snooping over your shoulder and stealing your logins. However, a security researcher has figured out a way of seeing past password masks.
Haroon Meer built a proof-of-concept iPad app, nicknamed shoulderPad, in an attempt to prove that just because information is hidden by asterisks, it won’t prevent all nearby snoopers from “shoulder surfing”. The app works by using the iPad 2’s camera, and is able to harvest information from the screens of other iPads and iPhones.
Here’s how it works: Hold the iPad up to the victim’s screen as they begin typing, look inconspicuous, and the app will be able to relay the person’s valuable information. The iPad can do this because when you type on the iOS keyboard, the key will be briefly highlighted. ShoulderPad uses image recognition algorithms to trace where the blue appears on the screen, and then accurately guesses which key was pressed.
Thankfully, Haroon is not offering the app to the public, seeing the damage that such technology could cause in the wrong hands. However, it is an eye opener in case you were ever wondering just how safe your information is as you type it out. For those thinking it may be time to get rid of your iOS devices, it’s not just an potential flaw with Apple touchscreen products–researchers at an Italian company have also discovered a similar over-shoulder trick, which can pick up keyboards on Android and Blackberry smartphones too.
Until touchscreen phones stop highlighting keys as they are touched, maybe next time you are imputting a password, you should take a quick glance over your shoulder.
Check out more information about Haroon’s app, or check out the video of the app in action.