Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen -- meaning glare is not an antidote.
The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode.
They tested the algorithm on passwords entered on an Apple (AAPL, Tech30) iPad, Google's (GOOGL, Tech30) Nexus 7 tablet, and an iPhone 5.
"We could get your bank account password," researcher Xinwen Fu said.
The software can be applied to video taken on a variety of devices: Fu and his team experimented with Google Glass, cell phone video, a webcam and a camcorder. The software worked on camcorder video taken at a distance of over 140 feet.
Of course, pointing a camcorder in a stranger's face might yield some suspicion. The rise of wearable technology is what makes this approach actually viable. For example, a smartwatch could stealthily record a target typing on his phone at a coffee shop without drawing much attention.
Fu says Google Glass is a game-changer for this kind of vulnerability.
"The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video ... they see your finger, the password is stolen," Fu said.
Google says that it designed Glass with privacy in mind, and it gives clear signals when it is being used to capture video.
"Unfortunately, stealing passwords by watching people as they type them into ATMs and laptops is nothing new," said a Google spokesman in an emailed statement. "The fact that Glass is worn above the eyes and the screen lights up whenever it's activated clearly signals it's in use and makes it a fairly lousy surveillance device."
CNNMoney put the researchers' software to the test. We set up shop in our corporate cafeteria with the Google Glass-adorned security researcher 8.5 feet away from our iPad.
Fu and his colleagues said they could identify the password with 100% certainty if they recorded the login process three times. They also tested it with the Google Glasses on a robot, just in case the head movement of the researcher proved to be an issue.
In less than ten minutes they were able to accurately identify our password, 5-1-2-0. (It typically takes less time but CNNMoney Tech Correspondent Laurie Segall has short fingernails, which created less of a shadow for their software to analyze. They still got it right.)
The major vulnerability Fu's team identified is that keys are always in the same place on the keyboard. There are tools that can randomize the location of the keys on the keyboard so that a "9" might appear where a "1" is usually situated, but they are not common. The goal of work like this is to make such protections mainstream.
The research will be presented next month at the Black Hat cybersecurity conference.