Skip to content

Automated Shoulder Surfing iPad Passwords

A PDF is available from thinkst with details on how to shoulder surf the iPad.

It points out that the keypad buttons glow when selected, defeating the mask of the password field. They have released an application to drive the risk home — a camera records the keys that glow.

Even better, they have referenced the movie Sneakers to point out that this is a simple and known threat. Kudos to them for not claiming any sophistication in their threat. It’s a simple and well-known attack and that is what makes it so annoyingly dangerous to use the Apple product.

This image about how to type a PIN should look very familiar.

Hide your keys

Back to the PDF, this section caught my eye

We have long realised the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rare to find an application that fails to mask the password on screen.

We take the fact that password masking is so ubiquitous as the obvious acknowledgement of shoulder surfing as a viable attack method.

Few people probably realize how lucky we are to have those passwords masked. When I worked on television and mobile authentication user interface security for many millions of devices one of my toughest jobs was to convince the developers and product managers to hide passwords. They did not want to do it and they had some good reasons to resist.

I would always hear the argument that making it easier to see the password when typing on a small screen, a small keypad, a keypad on a big screen, using a joystick, etc. meant fewer support/helpdesk tickets. The cost was palpable.

Take one mobile interface, for example. I argued that the character entered should immediately be masked, just like the typical computer interface. The product manager responded with some user behavior data linked to cost — showing the character entered until the next character was entered reduced helpdesk calls related to password more than 30%, with a cost per call said to be $10-15. That adds up quickly for tens of thousands of devices.

We ended up masking the character as soon as the next character was entered or after 1 second, which ever came first. That reduced the chance of exposure from shoulder surfing while still allowing us to force complex passwords. The only way I was going to get to constant masking was to reduce complexity (e.g. no uppercase, no symbols). Trade-offs and calculations of masking were hard, to say the least.

The threat models for mobile devices always led to shared spaces, especially transportation that forced closeness. Imagine sitting in the narrow seats of public transportation in Philadelphia or New York. Yes, I’ve even researched the space allocated between passengers. Did you know that San Francisco’s BART has the most space between passengers — anti-shoulder surfing or just wasted space? Airplanes and buses have the additional problem of rows facing the same direction but airplanes are especially bad because of the space between seats that allows for peering eyes to look through…

That is all for mobile devices that people carry with them. Giant televisions and projectors are another story entirely. Imagine inviting all your friends over to watch a movie. Then, just as you are about to start up NetFlix, you get a message from the Playstation network that it needs you to change your password (no fault of your own, it’s because they were hacked). So you sit in a big room with a big screen and slowly use a joystick to enter your password. They keys you select are illuminated on the screen for everyone to stare at and see. Do you ask everyone to come back in five minutes?

I actually wrote a solution to this problem and patented it but I still see consoles (e.g. NetFlix on Playstation) that illuminate your keystrokes and thereby display your actual password to everyone. Perhaps the thinkst story will generate more demand for use of the patented authentication mechanism. In brief, I proposed a token system that had a password for initial registration but a simplified identification system later for unique input devices like joysticks, phone keypads and touchscreens..

Imagine logging into the Playstation network by using a token and the joystick button sequence “XO^X->”, for example. If people can figure it out for easter eggs and cheats, I knew they could use it to login. I mean why not setup your system for login with your RockBand Guitar? The point of the patent was to leverage the universal input capabilities of devices and tie it to a token created on a computer, rather than try to pound everything into being more like a keyboard.

The designers and product managers at Apple probably thought they were doing users a favor by illuminating keys pressed in order to simulate the feedback of a physical keyboard. And then the other product companies while copying (should I say “embracing and extending“?) the Apple touch interface (Android/RIM) unfortunately also copied the illumination aspect of the keypad. It’s good that they masked the password but they should have thought more about the risk. Then again, I wouldn’t consider Apple product design suitable for an environment with any real risk. That’s not really what they’re designed for…

Ever notice that Apple’s iPad marketing campaign has them floating in some kind of utopian emptiness of just one superuser?

No perspective on who might be looking over your shoulder; no uncontrolled environments…you don’t see any messaging about product design from them related to real-world risks, especially not like this:


Full disclosure: I own a Panasonic Toughbook. It’s the best laptop I’ve ever owned. I’ve sold all my Apple products and don’t miss fixing them.

Posted in Security.

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. skipthis_ says

    Interesting post! There is also the iPhone version of this attack, which can also steal passwords and long texts while the victims move naturally during typing.

Some HTML is OK

or, reply to this post via trackback.