Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exploiting the iPad's Glowing Keyboard

timothy posted more than 3 years ago | from the easy-solution-turn-off-screen dept.

Handhelds 127

nonprofiteer writes "Earlier this week, a South African security researcher released shoulderPad, an app that's designed to auto-snoop on iPad users' passwords by watching their touchscreen keyboards. When a user types on an iPad's touchscreen, each key glows blue for a fraction of a second after it's struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad's image recognition algorithms, based on Open CV's open source image recognition software, look for that flash of blue. 'At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke,' says Meer."

cancel ×

127 comments

Sorry! There are no comments related to the filter you selected.

Oh great (1)

colinrichardday (768814) | more than 3 years ago | (#36771560)

One more thing to warn my informatics students about.

Re:Oh great (1)

Darinbob (1142669) | more than 3 years ago | (#36772262)

But this is an old technique, you should have warned them about it anyway. Ie, someone looking over shoulder at the ATM to get PIN number, or watching you obliquely as you type a password, or telescopes watching your screen from the next building (or even picking up the noise from a CRT and decoding that, which has been done).

Re:Oh great (-1, Redundant)

Mr. Freeman (933986) | more than 3 years ago | (#36772504)

It's just "PIN", not "PIN number".

Re:Oh great (1)

Anonymous Coward | more than 3 years ago | (#36772642)

I always enter my pin number when I go to an atm machine.

Re:Oh great (-1)

Anonymous Coward | more than 3 years ago | (#36772652)

So, what IS your Personal Identification Number number?

Re:Oh great (1)

dzfoo (772245) | more than 3 years ago | (#36772744)

Whoosh!

Re:Oh great (-1)

Anonymous Coward | more than 3 years ago | (#36772786)

What was that whooshing sound?!

Re:Oh great (0)

Anonymous Coward | more than 3 years ago | (#36772688)

Ideally GP should have used "ATM machine" in the same post, but this will have to do.

Re:Oh great (0)

Anonymous Coward | more than 3 years ago | (#36772792)

Hey now, if he wants to warn his students that there's someone looking over their shoulder trying to get their PIN number at the ATM machine, or that someone's going to pick up the noise from his CRT tube, that's his business. Someone has to work in the department of redundancy department, after all.

thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw (5, Funny)

For a Free Internet (1594621) | more than 3 years ago | (#36771562)

Wewi naotallowkitkjnm0potkje nitoine notone ever yiyu betcha! goatsexunhj,q *N& and fuuuuuuuuuuuc83yh89ynkHPHPHPH penus dofrg!!!!!!!!!!!!

Re:thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw (0)

farseeker (2134818) | more than 3 years ago | (#36771580)

Whoever downmodded this missed the point I think

Re:thisius whaIUNTJA,JMAIERUYHNEEEDTO knoiw (0)

monkyyy (1901940) | more than 3 years ago | (#36772234)

downmod me for commenting on someone downmodded :D

RUBBER HOSE STILL #1 !! (-1)

Anonymous Coward | more than 3 years ago | (#36771584)

A rubber hose is the fast, most sure-fire way to get any info out of any body, dead or alive !!

Up your nose with a rubber hose brings back such fond mammories !!

Re:RUBBER HOSE STILL #1 !! (0)

ColdWetDog (752185) | more than 3 years ago | (#36772190)

A rubber hose is the fast, most sure-fire way to get any info out of any body, dead or alive !!

Up your nose with a rubber hose brings back such fond mammories !!

You have a rather strange sex life. And thank you, no, you don't have to add any additional details.

Security Enhancement (4, Funny)

PPH (736903) | more than 3 years ago | (#36771598)

Enable the iPad camera and feed a video window on the login screen so you can see who's looking over your shoulder.

Re:Security Enhancement (5, Funny)

Kenja (541830) | more than 3 years ago | (#36771644)

Its some suspicious looking guy! Man is he ugly, its almost as if.... oh, its me.

Re:Security Enhancement (2)

Ethanol-fueled (1125189) | more than 3 years ago | (#36771702)

Your fancy-schmancy facial-recognition algorithms won't detect [mashable.com] your potential mugger.

Especially at nighttime.

Re:Security Enhancement (0)

Anonymous Coward | more than 3 years ago | (#36772350)

...because we know all potential muggers are black... and that all algorithms are the same as HP's...

Re:Security Enhancement (1)

Racemaniac (1099281) | more than 3 years ago | (#36772388)

And all jokes have to be analyzed and have all their flaws explained

Incredibly not amazing... (0, Insightful)

Anonymous Coward | more than 3 years ago | (#36771612)

This is like a hello world of opencv programs...color blob detection. Unless you're stealing shitloads of passwords...which probably isn't the case...you could just as easily watch the slowed down video. He's not even extracting what keys they're typing!?

Re:Incredibly not amazing... (1)

scdeimos (632778) | more than 3 years ago | (#36771706)

Yes he is. Keep an eye on the top-left corner of the video while the program's running.

Put it to work for you (0)

farseeker (2134818) | more than 3 years ago | (#36771618)

With any luck, ShoulderPad will be open to SQL injection. Little Bobby Tables strikes again!

Re:Put it to work for you (-1)

Anonymous Coward | more than 3 years ago | (#36771664)

With any luck, ShoulderPad will be open to SQL injection.

I don't think you know what either of those things mean.

Re:Put it to work for you (-1)

Anonymous Coward | more than 3 years ago | (#36771764)

I've farted more than you'll ever know.

Re:Put it to work for you (0)

Anonymous Coward | more than 3 years ago | (#36771846)

I've farted more than you'll ever know.

That's what she said!

Re:Put it to work for you (1)

jimmydevice (699057) | more than 3 years ago | (#36771888)

DEviaNT sez you fail

Re:Put it to work for you (1)

AK Marc (707885) | more than 3 years ago | (#36772334)

"Luck" and "open"?

It's not even that hard (4, Insightful)

Anonymous Coward | more than 3 years ago | (#36771620)

To make it easier to catch typos, secure text fields on iOS persistently display the most recent character typed (and hide it when you type the next one). If you're already recording video of the iPad screen, why not just look for that?

Re:It's not even that hard (0)

Anonymous Coward | more than 3 years ago | (#36771686)

You need a lot more details to do this

Re:It's not even that hard (1)

FooAtWFU (699187) | more than 3 years ago | (#36771694)

It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.

Re:It's not even that hard (1)

gnapster (1401889) | more than 3 years ago | (#36771842)

"Yes, of course Angry Birds is easier to play when the camera's pointing at your iPad. What? Don't be ridiculous! I'm not watching you type in your password, I'm playing Angry Birds. The nerve!"

Re:It's not even that hard (2)

grumbel (592662) | more than 3 years ago | (#36771904)

What good would the reflected glow do? That only tells you that a key got pressed, not which one. The app in question here seems rather trivial, all it does is detect which key was pressed by looking for the blue highlight on the key, it still needs to have a completely free view onto the keyboard to see which key that was and when you have that free a view, you can see the users hand hitting the keys anyway. The only interesting thing seems to be that it is easier to automate the detection of the blue keys then it is detecting if a hand movement was a key-press or not.

Re:It's not even that hard (1)

perpenso (1613749) | more than 3 years ago | (#36772054)

It's presumably a lot easier to get some part of the reflected glow of the screen than it is to get a good video feed of the password field. Especially if you're trying to go unnoticed.

You don't have to look at the password field. There is a much better, larger and more readable alternative. When you press a key an enlarged version of the key momentarily hovers above your finger to give you feedback on what you just pressed. Your finger is covering the smaller lettering on he keyboard and the glow.

less useful than plain video and a human. (0)

Anonymous Coward | more than 3 years ago | (#36771768)

a human would need less resolution.
  a human can understand the finger.
  a human can work it out without a glowing keypad.
the amount of false positives will be overwhelming. not to mention the extreme difficulty in getting a computer to recognize something so easily recognizable by a human.

Re:It's not even that hard (1)

stephanruby (542433) | more than 3 years ago | (#36771840)

On an Android tablet, that feature can be turned off (I assume it's the same on an iPad).

Re:It's not even that hard (-1, Troll)

interkin3tic (1469267) | more than 3 years ago | (#36772138)

On an Android tablet, that feature can be turned off (I assume it's the same on an iPad).

I assume it's not. Giving the user the option to modify things is something apple only does sparingly, they sell it as AMAZING NEW FEATURE with the latest OS.

You want your iphone to play something besides the 6 included tones for a text message alert? Whoa, slow down there buddy! Just because other, dumber phones have had that option for about a decade, things aren't that simple with the iphone. Fortunately, apple engineers have FINALLY found a way to make your wish come true when you buy iOS5!

No, I'm serious. You can't change the SMS text tone on the iphone, still, to this day. Well, you can of course through jailbreaking quite easily, but otherwise no. It's going to be included in OS5 evidently. Being able to change the background and lock the orientation of the phone was one of the "features" of OS 4. It's utterly absurd.

Turning off the dangerous blue flash, no way is that an option. I'm guessing apple is debating whether they can get away with putting that as part of OS5 and charging people money for it. Personally, I'm going to be looking for something to solve it on Cydia. (Yes I have an iphone, yes it is a deeply flawed product, yes, I do still use it.)

Re:It's not even that hard (3, Informative)

mini me (132455) | more than 3 years ago | (#36772208)

No, I'm serious. You can't change the SMS text tone on the iphone,

Being serious doesn't make it true. Even the iPhone 3G was given the feature quite some time ago.

Re:It's not even that hard (0)

Pieroxy (222434) | more than 3 years ago | (#36772326)

You can change it, but only between the limited ringtones made available by Apple. You cannot personalize it with your own.

Re:It's not even that hard (1, Insightful)

Pieroxy (222434) | more than 3 years ago | (#36772320)

Dude, Apple doesn't charge a dime for new OSes.
The rest is true of course.

Re:It's not even that hard (1)

jo_ham (604554) | more than 3 years ago | (#36772636)

Except for all those other parts that are also untrue. Ie, the part about not being able to change SMS tones. That's what we call in the business as "a lie".

Re:It's not even that hard (0)

Sabriel (134364) | more than 3 years ago | (#36772668)

If you read the full post, it is referring to the fact that you cannot *change* the iphone's SMS tones. You can *select* between the six tones Apple provides, but you cannot *change* any of those tones to one of your own choosing without first jailbreaking the phone.

Re:It's not even that hard (1)

jo_ham (604554) | more than 3 years ago | (#36772630)

I can change my SMS tone and I have an iPhone 3G (ie, comparatively ancient) I also have a totally custom ringtone (from TMBG) which I did not have to buy through iTunes or anything.

Also, Apple charges for iOS updates? Wow. That's news to me! Where did you find that bit of exclusive, new information?

Re:It's not even that hard (1)

Sabriel (134364) | more than 3 years ago | (#36772676)

I also have an iPhone 3G (3GS if we're being pedantic). So could you tell me how to *change* my SMS tone to one of my own choosing without jailbreaking the phone? Because all mine lets me do is *select* from the six tones that Apple put on the phone.

Re:It's not even that hard (1, Informative)

rbrausse (1319883) | more than 3 years ago | (#36772712)

I never owned an iphone but I was curious.

and WTF, the way to change tones seems to be:

1. jailbreak the thing
2. convert your custom tone to AIFF
3. ssh to the phone
4. in /system/library/audio/uisounds overwrite the original files with your own file

*very* convenient, I still can't believe it

Re:It's not even that hard (0)

Anonymous Coward | more than 3 years ago | (#36772074)

It isn't a persistent display, it also times out after a few seconds of not typing. Which doesn't change the fact that it's easier :)

Re:It's not even that hard (1)

wvmarle (1070040) | more than 3 years ago | (#36772302)

My Android phone allows the complete password to be visible when typing (which is convenient, and unless you're in a public space not really insecure to begin with), while by default it will only show the latest letter entered for a few seconds so you can see if it's the right one, hiding it after a few seconds, or when you enter the next character. So very similar to the iPhone.

I have never seen this as a serious security issue. I'd say it's not exactly worse than looking at someone typing on a physical keyboard.

Re:It's not even that hard (3, Interesting)

rbrausse (1319883) | more than 3 years ago | (#36772570)

Schneier wrote some time ago about the advantages of visible passwords [schneier.com] . One (small) shitstorm later he compiled an interesting pro/con list [schneier.com] .

Re:It's not even that hard (2)

Rigrig (922033) | more than 3 years ago | (#36772818)

Because determining which part of the keyboard lights up is much easier than OCRing a much smaller character. A video could easily be low-res/blurry enough to make reading that character impossible, while the blue flashes would still be recognizable.

Not just Apple (0)

Anonymous Coward | more than 3 years ago | (#36771684)

Nice twisting of reality here to make a story, reporters. Touchscreen devices of all varieties have been doing this for years. Even PalmOS was inverting the onscreen keys as you pressed them.

Re:Not just Apple (1, Insightful)

lucm (889690) | more than 3 years ago | (#36771784)

> Nice twisting of reality here to make a story, reporters. Touchscreen devices of all varieties have been doing this for years. Even PalmOS was inverting the onscreen keys as you pressed them

You are the one twisting reality. Good stuff on the iPad = invented by Apple. Bad stuff on the iPad = same problem with all the other products in the universe but the other products are actually worse because they had it before and nobody fixed it.

This being said, it is a good thing you posted this as AC, otherwise people could have stolen your Slashdot password just by watching you typing it on your iPad.

Re:Not just Apple (1)

EvanED (569694) | more than 3 years ago | (#36771824)

And by contrast, MS has visual feedback disabled on their virtual keyboards on the tablet editions of Windows. (Primarily for convertible tablets... remember those?)

Bizarro world, huh?

Re:Not just Apple (1)

EvanED (569694) | more than 3 years ago | (#36771848)

MS has visual feedback disabled on their virtual keyboards

Just for clarification, I meant to say "on password screens". It's off for the login screen and I think anything else the app reports is a password box.

Nike Free Run (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#36771700)

this post is already as classic, Herve Leger Dress [hervelegersdress.net] but its significance is far greater than the classic itself.

Re:Nike Free Run (0)

Anonymous Coward | more than 3 years ago | (#36772028)

this is OT spam and whoever moded this up needs to have their mod abilities suspended

Re:Nike Free Run (0)

Anonymous Coward | more than 3 years ago | (#36772312)

Is this spam or have I somehow, completely, missed a 'classic' herve leger dress slashdot meme? I'm quite intrigued. O.0

Re:Nike Free Run (0)

Anonymous Coward | more than 3 years ago | (#36772328)

Only goes up to large. My basement dwelling fat ass would split the seams :/. I call spam.

Does not one here have an iPad? (1)

Anonymous Coward | more than 3 years ago | (#36771734)

This whole story is completely false.

The iPad keybord is not black, neither does it do a blue glow.

iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

Re:Does not one here have an iPad? (1)

exomondo (1725132) | more than 3 years ago | (#36771844)

This whole story is completely false.

The iPad keybord is not black, neither does it do a blue glow.

iOS virtual keyboards have *NEVER* been black. Yes if you Jailbreak you can put any type of skin (as see in the linked article), but the default virtual keyboard is white as in iPhone, iPod touch and iPad.

Have you looked at the keyboard of the lockscreen with an alphanumeric password? No? Of course not, because you posted this so you can't possibly have.

Re:Does not one here have an iPad? (0)

Anonymous Coward | more than 3 years ago | (#36772082)

I guess that black keyboard I enter my password into to unlock my ipad doesn't exist then.

Re:Does not one here have an iPad? (0)

Anonymous Coward | more than 3 years ago | (#36772726)

Let me guess, you're an atheist too?

Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36771746)

The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36771850)

The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

Unless you actually try the situation shown in the article.

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36771878)

If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36771908)

If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

Do you have an ipad? Did you watch the video in the article? How about you have a look at the video, it shows that both your posts are wrong. Yes the keyboard is that colour and no the text doesn't flash up in the text entry box.

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36771944)

Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772010)

Yes, I tested it all out

Oh come on, you started by saying the keyboard wasn't black!

On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

And you're running what version with what settings?

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772080)

Come over to here [slashdot.org] . We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36772030)

I have an iPad 2, I did exactly what the video did and what Doomy says is right, the video seems like it was edited, their is a white box placed where the key pressed should be showing, they lag it up and edit. It's not a very honest video.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772094)

are you running iOS5?

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36771914)

Try recording that at a distance compared to recording the blue highlights at a distance
(We will all ignore how your first comment jumped the gun without checking)

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36771930)

Ah, let me point out what came out bogus to me when I read the PDF.

The person claims this on page 3:

We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.

Wait... This is where I have a problem, they claim that iOS masks the passwords by default and thus they have to use this other compelx method of capturing what keys are pressed. My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36771946)

My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.

That's because it is already masked which is what he said, so of course the only way to capture it is to determine what keys were pressed. How else are you going to capture the password?

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36771982)

No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate [imgur.com] (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36772060)

This is what I see too, for about 1 second the key pressed remains, BTW could you tell me where you got that wallpaper? Thanks in advance.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772084)

No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate [imgur.com] (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.

And you are just running to the assumption that it is doctored video as opposed to say iOS5?

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772106)

I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon [imgur.com]

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772132)

I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon [imgur.com]

Probably because it's the new version of the OS and that even if they introduce this feature of masking the keys completely there is still a vulnerability. Anyway it seems you're just trying to pull this article apart with whatever you can, albiet with no actual facts. First it's the keyboard (incorrect), then the password showing up (which is likely in the next OS version) and also the fact that they state in the article that you can do this over long distances where obviously the spatial position of a blue keyboard flash can be calculated even when the key could not possibly be read.

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772176)

I'm sorry are you the person behind this video? Yes, I do like to pull an article apart to see the validity of the claims. As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that. Yes, I admit the keyboard thing was an err on my part, as I was reading his PDF I realized this was about non-simple passcode entry. As far as the password showing up, it doesn't happen on mine (and as others said doesn't happen on their iPad's as well). The letters that show up are huge, it's very very easy to read it off, and they stick around for quite a bit, I could take two screenshots of a given passcode letter before it becomes a mask. I do like what he made, it's cool. But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772202)

I'm sorry are you the person behind this video?

No, obviously if i was i would be able to say what the version the ipad in the video was running wouldn't i.

Yes, I do like to pull an article apart to see the validity of the claims.

But your claims don't seem to actually be refuting the article because you don't have any facts. I personally wouldn't go calling something 'bogus' or their claims 'incorrect' unless my personal experience was actually replicating that of the article, and you certainly cannot say that yours is.

As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that.

Your experience is clearly an invalid basis for you to be calling it bogus then isn't it.

The letters that show up are huge, it's very very easy to read it off

At what distance?

But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).

Or that much more likely he is using the new OS where they have added this fix to prevent people from reading the password directly and he is showing that it may not be enough.

Personally i think the study is far fetched anyway and could be mostly circumvented if they used the normal keyboard instead, or if you made sure to move around a little as you typed your password.

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772224)

I'm sorry you feel that way. Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?). Also It's already been claimed this is iOS 4.3.x above. No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772260)

Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?).

No, I don't run iOS5, i guess you could find plenty of videos and pictures if you google though.

Also It's already been claimed this is iOS 4.3.x above.

Yet the message center is only visible if you have messages, so that claim is baseless too.

No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.

What are these 'holes' that you're suggesting it has? Lets assume for a minute that the letters do show up, what difference does that actually make?
It's still clear your claims of these things being 'bogus' and 'incorrect' are baseless, im all for dissecting these kinds of studies but i would not start making claims unless i actually had some facts to back them up, that's just common sense.

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772286)

As I said before, if you read the PDF, he claims he started on this project cause the masked password entry was way too robust by default to exploit. I didn't feel that was the case as my own observation is different from what he claimed. The rest of what he did was excellent, not saying anything about that, I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.

Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos [youtube.com] but it doesn't fit his article.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772300)

I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.

But that is obviously flawed given that you don't know what version of iOS he is running and you yourself can't say what the behavior is in iOS5.

Can you show a screen of the iOS you run and password entry?

Huh? I already told you I don't run iOS 5, I run 4.3.3 and I see the same thing as you do. So since I don't run iOS 5 I don't know if his assertion regarding password entry masking is correct or not, and neither can you. He even clarified for situations where the masking is not in effect that his solution likely works over greater distances (though he didn't specify what distances).

Re:Article and Video is misleading (1)

doomy (7461) | more than 3 years ago | (#36772318)

The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device. And.... best of all it can be adapted to work on even physical keyboards. Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772342)

The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device.

Of course, that's hardly sensationalist though, when the tablet market is vastly dominated by the iPad id say that's the logical choice for a demonstration.

And.... best of all it can be adapted to work on even physical keyboards.

Not if they aren't lit, which most aren't. Yet as you say this works on almost all tablet computers assuming you have the keyboard layout.

Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.

So he shouldn't have done this because something different would have been more impressive...now you're just clutching at straws.

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36772446)

Jesus rude fuck is rude... He was polite to you the whole time, you tried flame-bating him. Even when you agree with what he said you you flamed him at the end. What a jackass. I'm impressed the low ID kept his cool. Also that's iOS 4.3.3 with jailbreak mod that hides crap.

Re:Article and Video is misleading (0)

exomondo (1725132) | more than 3 years ago | (#36772468)

Jesus rude fuck is rude... He was polite to you the whole time, you tried flame-bating him. Even when you agree with what he said you you flamed him at the end. What a jackass. I'm impressed the low ID kept his cool. Also that's iOS 4.3.3 with jailbreak mod that hides crap.

The guy who called the study 'bogus' and 'incorrect' without any facts while making numerous errors on his own part? That's about as much of a jackass as you can be. pfftt...and nice try, pretty obvious you're just posting as AC, lame.

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36772522)

Actually I find it despicable that someone would go to such lengths to discredit an article with such bullshit:

[x] First the keyboard doesn't look like that, well actually it does
[x] Next it's 'incorrect' because the letters show up on iOS4.3.x even though the guy could be using iOS5.
[x] Next it's 'bogus' because he asserted that what he demonstrated was a version of iOS more secure than doomy's. Which of course doesn't affect the outcome, since the more secure version is just as vulnerable.
[x] Then the whole study has unspecified 'holes' in it, yet no elaborating on what those might be.
[x] Again, that the password entry is 'invalid', without knowing what version he is using.
[x] Then it's 'sensationalism' because it's demonstrated on iOS.
[x] And lastly he shouldn't have done it on iOS because it would have been more impressive if he did it on a real keyboard.

Doing all that to discredit an article is about as fucking rude as you can possibly get, there is nothing more rude than criticizing something when it's blindingly obvious you have no idea what you're talking about or have any basis for such criticisms. If i did that continually throughout a discussion i would expect people to be rude back.

Re:Article and Video is misleading (0)

Anonymous Coward | more than 3 years ago | (#36772212)

Video is of IOS 4.3+ not 5. As the new version has a message center on that lock screen now.

Re:Article and Video is misleading (1)

exomondo (1725132) | more than 3 years ago | (#36772244)

Video is of IOS 4.3+ not 5. As the new version has a message center on that lock screen now.

but the message center is only there if you have messages.

Video may be bogus, but point is valid (3, Insightful)

93 Escort Wagon (326346) | more than 3 years ago | (#36771890)

While this is not a unique problem to the iPad, since it is the 800 pound gorilla in the room it deservedly gets the attention.

Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?), or whether this particular demo games the system a bit, is somewhat irrelevant. With both smartphones and tablets it's much easier to snoop someone's password. Most people don't seem to think about security at all when they're typing their login information in public on an iPad or smart phone, so shoulder snooping is easy; and the "display the most recent letter pressed" gimmick used by both iOS and Android provides yet another possible attack vector.

I used to be very much against letting a computer or other device save my passwords; but I'm beginning to think - with portable devices anyway - there's value in doing so. Of course, if you lose the device you're screwed...

And there's still the additional problem where a lot of wifi hotspots aren't secured, so you need to be doubly sure of the site security (e.g. https) for any website you might log into.

Re:Video may be bogus, but point is valid (1)

exomondo (1725132) | more than 3 years ago | (#36771936)

Whether or not any iPad keyboard is actually black with a blue afterglow (could that be IOS 5?)

It's the keyboard for the alphanumeric passcode lock screen entry, it's been that way for quite some time.

Re:Video may be bogus, but point is valid (1)

artor3 (1344997) | more than 3 years ago | (#36772180)

I have an Android phone, but I assume my method works just as well for iOS and tablets.

Step 1) Store all of your passwords in KeePass
Step 2) Make a long and complex password for your KeePass file, using non-alphanumerics, whitespace, repeated characters and look-alike characters. No one looking over your shoulder will memorize "S0l|ll x####ffe3EE zxp5", unless they get hi-res video of you typing it in.
Step 3) Use the DropBox app to sync your password file to your phone
Step 4) Run the KeePass app in the background, and copy-paste passwords into the necessary fields.
Step 5) Make sure to turn KeePass off whenever not actively using your phone.
Step 6) Profit, by way of not having your bank account looted.

Only one password is ever visible, and it's complex enough that it would be near impossible to steal. Your other passwords can be just as complex as the KeePass one, since you won't need to memorize them. However, if you'd prefer they be easier to remember for times that you don't have access to KeePass, you can keep them simple. Regardless, the only way you'll ever get fucked is if you leave KeePass running, and someone manages to steal you phone in the five minute window before it turns itself off. And if you're extra paranoid, you can shorten that window to 30 seconds.

Re:Video may be bogus, but point is valid (1)

CProgrammer98 (240351) | more than 3 years ago | (#36772718)

I was about to say that you can't paste into the screen unlock field - but you can! - and no flashes, or text reveals.

This does however mean that you need the foresight to always copy the password into the paste buffer just before locking your iPad...

Re:Video may be bogus, but point is valid (0)

Anonymous Coward | more than 3 years ago | (#36772728)

Wait, dropbox? Are you serious?

Dropbox and security in the same sentence does not compute.

An old problem. Solution seems simple. (1)

Anonymous Coward | more than 3 years ago | (#36771962)

It's called a scrambled keypad.

http://www.pcscsecurity.com/scramble-keypad-sp-100 [pcscsecurity.com]

This can be easily implemented on iPad, iPhones, or any touch screen device. It probably should.

Scandleous! (1)

cultiv8 (1660093) | more than 3 years ago | (#36771992)

OSS used for foul play, off with their heads!

How to buy cheap mbt shoes (-1)

Anonymous Coward | more than 3 years ago | (#36771996)

I absolutely love these women jordans 2011 [fashionproduct2you.com] . I needed a new style for work, they look great and even feel better. Very soft sole Jordan 2011 [sportshoes2you.com] . It is important for my work shoes to have ventilation. Meanwhile, cheap MBT shoes [sportshoes2you.com] is suitable. I’ll be back before Christmas.

making video of someone entering password (0)

Anonymous Coward | more than 3 years ago | (#36772560)

how different is it from capturing a video of someone entering password using a conventional keyboard?

Very unimpressive demo video, keys easily visible (1)

AC-x (735297) | more than 3 years ago | (#36772902)

That has to be one of the least impressive video demonstrations I've seen, it probably would have been quicker to frame advance the video manually and type the easily visible key presses by hand.

If this program could decode key presses from further away where keys are no-longer easily distinguishable by eye then I would be impressed.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>