Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by LaminatorX on Wednesday June 25 2014, @03:24AM   Printer-friendly
from the Peak-Peeking dept.

The odds are you can't make out the PIN of that guy with the sun glaring obliquely off his iPad's screen across the coffee shop. But if he's wearing Google Glass or a smartwatch, he probably can see yours.

Researchers at the University of Massachusetts Lowell found they could use video from wearables like Google Glass and the Samsung smartwatch to surreptitiously pick up four-digit PIN codes typed onto an iPad from almost 10 feet away-and from nearly 150 feet with a high-def camcorder. Their software, which used a custom-coded video recognition algorithm that tracks the shadows from finger taps, could spot the codes even when the video didn't capture any images on the target devices' displays.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Foobar Bazbot on Wednesday June 25 2014, @04:50AM

    by Foobar Bazbot (37) on Wednesday June 25 2014, @04:50AM (#59685) Journal

    But if he's wearing Google Glass or a smartwatch, he probably can see yours.

    Or a pen-cam [amazon.com], or a hat-cam [amazon.com], or a glasses-cam [amazon.com] (which have been available for years without the added display that makes for Glass), or a watch-cam [amazon.com] (again, predating smartwatches, at least in the current definition, by years), etc. Or even the old face-to-the-left,-hold-cameraphone-to-right-ear dodge. (Periodically take it down to push a button; interaction with a tone-driven computer menu is much easier to fake convincingly than a voice conversation.) Anyway, an honest headline would be more like "Wearable Camera Snoopers Can Steal Your Passcode With A Glance".

    This isn't to denigrate the research at all -- it might seem a little obvious to some of us that that's feasible, but it's good to have someone implement it and give us some numbers, and kudos to them for also developing a mitigation (see my other comment [soylentnews.org]). My point is that the headline mentioning only Google Glass is bad reporting -- at best, it's a shameless clickbait using a "hot" term instead of the most accurate, and at worst an attempt to manipulate opinion about Glass by implying the problem is unique to Glass. Of course, it's Wired, so it's not like anyone expected better of them, but it could stand to be rewritten for SN.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by Tork on Wednesday June 25 2014, @05:42AM

    by Tork (3914) Subscriber Badge on Wednesday June 25 2014, @05:42AM (#59699)
    "Or a pen-cam, or a hat-cam, or a glasses-cam (which have been available for years without the added display that makes for Glass)..."

    Ah, so you're saying that in a line of 20 people behind you at the ATM, at least 18 of them have a pen cam, hat cam, glasses cam, or watch cam aimed at you?
    --
    🏳️‍🌈 Proud Ally 🏳️‍🌈
    • (Score: 2) by choose another one on Wednesday June 25 2014, @08:58AM

      by choose another one (515) Subscriber Badge on Wednesday June 25 2014, @08:58AM (#59745)

      Ah, so you're saying that in a line of 20 people behind you at the ATM, at least 18 of them have a pen cam, hat cam, glasses cam, or watch cam aimed at you?

      Where do you go where 18 of them have Google Glass ? Point is you can see someone using Glass, but not necessarily the other options.

      Also, the researchers got good accuracy 150ft away using an HD cam corder, and remember they were looking at non-fixed targets (tablets, phones). With tripod and decent optics, I bet you could target a fixed keyboard like an ATM from a _lot_ further away.

      How many windows overlook your ATM ? Within 150ft ? Within 500ft ? Why focus on the low-res low-quality close-in-only Google Glass result ?

      • (Score: 2) by jimshatt on Wednesday June 25 2014, @09:27AM

        by jimshatt (978) on Wednesday June 25 2014, @09:27AM (#59756) Journal
        The problem with fixed cams on targets like ATMs is that the situation will probably be investigated after a few police reports, possibly resulting in getting caught. Mobile cams have a much greater operational range.

        A problem I see with the random digit keypads (as proposed earlier) is that it will take you a longer time typing in the number, and maybe exposing more clearly what you type in because you have to look at the keypad. Now I just wave my hand over the keypad, using the other hand as a shield. I still like the idea though.
      • (Score: 2) by Tork on Wednesday June 25 2014, @05:39PM

        by Tork (3914) Subscriber Badge on Wednesday June 25 2014, @05:39PM (#59979)
        "Where do you go where 18 of them have Google Glass ?"

        What do you think will happen if they take off?

        "Point is you can see someone using Glass, but not necessarily the other options."

        What you can't see is if they're recording.
        --
        🏳️‍🌈 Proud Ally 🏳️‍🌈
    • (Score: 2) by Foobar Bazbot on Wednesday June 25 2014, @06:26PM

      by Foobar Bazbot (37) on Wednesday June 25 2014, @06:26PM (#60005) Journal

      Not sure what ATMs have to do with it -- TFA and TFS both talk about reading passcodes enter on touchscreens, subject to such viewing angles and light conditions that the screen is not readable. All the ATMs around here use physical keypads, so this attack isn't even necessary. Moreover, without installing a skimmer on the ATM's slot to read your card's magstripe (I assume you're in the US, where we still use old-school magnetic cards instead of smartcards), extracting your PIN wouldn't do much good. AIUI the typical approach in such cases is to mount a camera looking at the ATM's keypad at the same time you mount the skimmer, rather than to loiter in the area with any sort of camera; come back in a few days and download the results from camera and skimmer.

      Anyway, the point is, if 18 of the people in line behind you really don't have hidden cameras pointed at you now, that indicates that most people don't want to snoop your ATM PIN, tablet passcode, or whatever. Yes, if they have Google Glass on, they will have the ability to do so, but most of them still won't be doing it. The few people who are trying to read your passcode probably won't use Google Glass until it's sufficiently mainstream to not draw attention (and people are sufficiently accustomed to the "recording" light to note its absence and assume it means you really aren't recording), and at that point will be no more nor less obvious with Google Glass than they are now when using the wide range of currently available wearable hidden cameras. Since the attack is already eminently feasible with off-the-shelf hardware, Glass doesn't fundamentally change the threat, nor your response to that threat. What does (slightly) change the threat is that we now have a demonstration that glare and poor viewing angle don't limit your attackers, as long as they can see your fingers and the "shadows" (not sure if they mean shadows or reflections) of your fingers on the screen as you enter the passcode -- and this applies no matter what camera they use.

      • (Score: 2) by Tork on Wednesday June 25 2014, @07:18PM

        by Tork (3914) Subscriber Badge on Wednesday June 25 2014, @07:18PM (#60018)
        "Not sure what ATMs have to do with it --"

        It was a description of a public place where people are watching you do something sensitive. The other poster was unable to distinguish the difference between covert recording and having a camera strapped to your face.

        "Since the attack is already eminently feasible with off-the-shelf hardware..."

        This is not correct for a couple of reasons. First is that Glass will always be at a much better vantage point than any other device you could point at somebody. This *is* an important factor, that's why there are so many configurations of hidden cameras. Second is that the person wearing Glass may not be the one doing the recording. It is an internet-connected device running arbitrary software. We've already seen the stories about webcams betraying their owners.
        --
        🏳️‍🌈 Proud Ally 🏳️‍🌈
        • (Score: 0) by Anonymous Coward on Wednesday June 25 2014, @09:57PM

          by Anonymous Coward on Wednesday June 25 2014, @09:57PM (#60087)

          Hat-cam? Glasses-cam? These both have practically-identical vantage point to Google Glass. Did you even read the OP you're replying to?

          • (Score: 2) by Tork on Wednesday June 25 2014, @10:07PM

            by Tork (3914) Subscriber Badge on Wednesday June 25 2014, @10:07PM (#60090)

            Yes. Hat-cam is not the same vantage point, I know for a fact you've seen comedies that point this out. 'Glasses-cams' are spotable... because Glass is SUPPOSED to have that lens there.

            Oh and the whole always-in-plain-sight thing, but since you haven't taken the time to put any serious thought into the practicality of the point you're trying to make I don't expect you to get that.

            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
          • (Score: 0) by Anonymous Coward on Wednesday June 25 2014, @10:30PM

            by Anonymous Coward on Wednesday June 25 2014, @10:30PM (#60095)
            Did YOU read the post? Even if you managed to win that point it would have been completely obliterated by the rest of his post. If you really want to stay on this sinking ship of an argument you need to start looking up cameras that can be planted on other people.
  • (Score: 1) by tftp on Wednesday June 25 2014, @07:54AM

    by tftp (806) on Wednesday June 25 2014, @07:54AM (#59726) Homepage

    The problem is not unique to GG. However while pen-cams, hat-cams, and glasses-cams are available, nobody in his right mind is rushing to buy them. Why? Because they are single purpose devices. They only do surveillance. Too few people would want to spend big bucks on a niche device. GG breaks this mold; Google is advertising GG as a product that can do other things that a common man may find useful. GG is not bought as a spy cam; it is bought as a Twitting/Facebooking thingy; the spy aspect is a free bonus. Nobody expects pen-cams to become fashion items; however GG explicitly strives for that.

    If you want a bit more emotional example, here is one: guns. Anyone who is a hoplophobe believes that guns are evil because they have only one purpose: to kill people. Perhaps; it doesn't matter in this example. But from this POV you can argue that you don't need to take your gun to a restaurant, unless you plan to murder someone. (Again, we are ignoring examples from recent history.) However imagine that someone invents a fashionable dining accessory that also can be used as a gun. What are the chances that you, who never intended to carry your Glock to the restaurant, will be having this new and wondrous automatic fork with you at the table?

    What GG does is it lowers the barrier of entry. A potentially unwelcome product is delivered inside a bundle, which acts as the Trojan horse. That's why GG is seeing so much opposition. Removal of camera would be an easy way to alleviate those concerns. The camera in GG is just as unwelcome as the camera in a pen.

    There is yet another aspect of GG that makes it worse than pen cameras. Pen cameras are owned and used by a single person. There is zero chance that its recordings will ever be processed by supercomputers and results sent to the government. However GG does exactly that.

    • (Score: 2) by Nerdfest on Wednesday June 25 2014, @01:19PM

      by Nerdfest (80) on Wednesday June 25 2014, @01:19PM (#59847)

      It doesn't really lower the bar for entry; you could do the same thing with your cell phone camera and nobody would even look twice at you.

    • (Score: 2) by Foobar Bazbot on Wednesday June 25 2014, @05:57PM

      by Foobar Bazbot (37) on Wednesday June 25 2014, @05:57PM (#59991) Journal

      FWIW, shortly after I got my first paying job, I rushed to buy a pen-camera. However, this doesn't refute your claim that nobody in his right mind was rushing to buy them, because I was a teenage boy with a sudden influx of discretionary funds, and thus definitely not in my right mind. ;) No, I didn't have any planned use for it, it was just so cool that I had to have it. I suspect that purchases like that are what keep the quantities high enough to enable the ridiculously low prices on what should be niche gear.

      I understand your argument, but I don't buy its significance. To me, the fact that most people don't buy spy cameras mostly suggests that people simply aren't interested in spying on others, not that they are interested, but not enough to spend money on it. Are there some people who want to spy, but not badly enough to buy a $15 pen-cam, and who thus will use wearables like Glass or a smartwatch that way? Sure, but $15 vs. $0 is not a big difference to anyone who can afford a wearable in the first place, so I think very few people fall into that gap.

      While the big data thing strikes me as a very reasonable concern, I don't see any connection between that and this passcode-reading attack -- even if Google/NSA (or some rogue Google/NSA employee, or anyone else who gained access to their data by any means) wants to use this attack to read everyone's passcode, they need an actual video clip of the entire passcode entry process. This is unlikely to show up in the background of some video taken for innocuous reasons, so for an on-demand recorder like Glass, there doesn't seem to be a significant problem involving this attack. In some hypothetical future, when cameras and radio transmitters take much less power to run, we could see some kind of always-on wearable camera with the ability to continuously stream to the cloud (something like the "grain" in that episode of Black Mirror), and then this attack would be useful on the resulting enormous stockpile of video. But right now, that problem with Glass has nothing to do with this article.

  • (Score: 2) by Rivenaleem on Wednesday June 25 2014, @02:57PM

    by Rivenaleem (3400) on Wednesday June 25 2014, @02:57PM (#59891)

    It's amazing what you can do with a field telescope and a notepad. Both of which predate the ATM you are snooping on.