Menu
Navigation

Global articles on espionage, spying, bugs, and other interesting topics.

Hacker’s App Automates Over-The-Shoulder iPad Spying

 

Shoulder surfing, the simple act of leering over a computer users’ shoulder to spy on passwords and other sensitive info, may not seem like the most advanced hacker trick. But when it comes to shoulder surfing Apple’s iPad, Haroon Meerhas it down to a science.

Earlier this week, the South African security researcher announced that he’d built shoulderPad, an app for Mac OS, jailbroken iPhones and iPads that’s designed to auto-snoop on iPad users’ passwords by watching their touchscreen keyboards. Simply pretend to be fiddling with your phone or tablet a few meters away from an iPad user while he or she enters their PIN or password, and shoulderPad can uses your device’s camera to read and interpret the target’s keystrokes.

The app’s secret? When a user types on an iPad’s touchscreen, each key glows blue for a fraction of a second after it’s struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad’s image recognition algorithms, based on Open CV’s open source image recognition software, look for that flash of blue. “At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,” says Meer.

He says that the same trick could be easily applied to recorded footage from a surveillance camera. “Any time you’re entering your iPad password in a public area, someone might be able to decode it later at their leisure,” he says.

Meer, who works for the security firm Thinkst in Pretoria, compares that relative vulnerability to the scene in the espionage movie Sneakers, when the group of hackers watch a video of their target, a mathematician, entering his password on a traditional PC keyboard. The keystrokes are obscured, and the hackers bicker over which letters he seems to be typing. “If the mathematician being spied on in Sneakers was using an iPad, they would have had his password easily!” Meer writes in PDF explaining his hack.

Here’s a short video demonstrating his image-recognition trick.

Meer notes that Apple, like most software companies and Web services, is careful to obscure passwords being entered on a device with asterisks or dots. But highlighting the keys as they’re typed is almost as insecure as leaving the letters visible, he argues. “In an attempt to provide feedback to users, current mobile devices take two security steps backwards,” he writes, “Leaving us less secure than we were in the past.”

Read the full PDF explaining Meer’s work here.