ShoulderPad Slashdotted! (and two clarifications)

(because we can't have enough posts with exclamation marks in them)

Our previous post (and research) seemed to go by pretty silently initially and then suddenly was everywhere. Andy Greenberg wrote a piece over at Forbes which really does deserve special mention. Tech journalists so often sensationalize security stories that many security researchers are quite afraid to even talk them. I certainly was, but his piece was fair, balanced and covered all the interesting points. +1 to him.

The Forbes post was copied almost verbatim by a ton of other "news" sites on the 'net, but we beamed with some measure of geek pride at making the front page of Slashdot (and for featuring on the front page of Hacker News, The Unofficial Apple Weblog and HackADay).

Two Clarifications:
  1. A surprising number of people reacted to the work (on slashdot, or other forums) with: "FAKE! The iPad Keyboard is not black!". One thread even went into detail about how this meant that the video is doctored (while others opined that the keyboard was on a non standard jailbroken iPad and therefore invalid). The video taken is on a standard iOS5 iPad and is exactly the same as the 4.X iPad (once complex passwords have been enabled).
  2. The folks at Politecnico di Milano did some previous work in this field, using computer vision to detect keyboards (on mobile devices) which magnify the alphabets on key-press. Their excellent paper covers their technique and impressive results. (One of the authors commented on several sites that covered the ShoulderPad post about their version working "without needing blue color detection" and also made the mistake of initially assuming our keyboard was non-standard. (Their attack targeted the normal keyboard whilst mines aimed at the Password keyboard).
I've published a few papers and done a few talks, so it's slightly strange for a weekend bit of hackery to have hit such headlines (but it was fun seeing it all over the tubes at any rate).

On-screen Keyboards Considered Harmful

(aka: Shoulder Surfing: There's an App for that!)

We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.

In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.
(You can read more about it [here], download a short pdf on it [here] or just watch the youtube video below (but we think the pdf is more fun!))

There are a few more videos (available after the break)