Showing posts from July, 2011

ShoulderPad Slashdotted! (and two clarifications)

(because we can't have enough posts with exclamation marks in them) Our previous post (and research ) seemed to go by pretty silently initially and then suddenly was everywhere. Andy Greenberg wrote a piece over at Forbes which really does deserve special mention. Tech journalists so often sensationalize security stories that many security researchers are quite afraid to even talk them. I certainly was, but his piece was fair, balanced and covered all the interesting points. +1 to him. The Forbes post was copied almost verbatim by a ton of other " news " sites on the 'net, but we beamed with some measure of geek pride at making the front page of Slashdot (and for featuring on the front page of Hacker News , The Unofficial Apple Weblog and HackADay ). Two Clarifications: A surprising number of people reacted to the work (on slashdot, or other forums) with: " FAKE ! The iPad Keyboard is not black!". One thread even went into detail about how this meant

On-screen Keyboards Considered Harmful

(aka: Shoulder Surfing: There's an App for that!) We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again. In an effort to (help) bring back the 90's we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads. (You can read more about it [ here ], download a short pdf on it [ here ] or just watch the youtube video below (but we think the pdf is more fun!)) There are a few more videos (available after the break)