Google Glass wearers can steal your password from 10ft away

Rob Waugh
Google Glass wearers can steal passwords simply by looking at a PC screen

Google Glass wearers can “read” passwords such as PIN codes or online banking passwords from up to 10ft away - and snoopers would not even need a clear view of your screen.

Security researchers found that simply tracking a fingertip across a touchscreen using computer vision techniques is enough - and Glass wearers can snoop everything from smartphone PIN codes to online banking passwords simply by recording a video of the moving finger.

Glass wearers have an advantage over snoopers armed with smartphones - they can adjust the angle until they get a clear view of the victim’s fingers. Once they have that, they can steal passwords with 90% accuracy.

“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Xinwen Fu of University of Massachusetts in Lowell. “If someone can take a video of you typing on the screen, you lose everything.”

                                  [Facebook privacy - how to get rid of ANYTHING you don't like]

Google Glass has only been on sale in Britain for a month, but scares over the privacy of the camera-equipped headsets have come thick and fast.

The Mail on Sunday found that a reporter wearing the camera-equipped glasses was able to wander freely into very private environments, such as changing rooms.

British cinemas announced last week that the devices would be banned. In America, restaurants and bars have banned the gadgets, and wearers have been assaulted in the San Francisco area.

The password-stealing attack works regardless of whether the screen is obscured by glare - or held at an angle where it’s not visible to the naked eye.

Dr Fu’s team claim that it works regardless of what language the victim is using - and could be used to steal complex passwords such as ones for online banking.

Instead of tracking what is shown on screen, Dr Fu’s attack uses computer software to track the fingertip itself, analysing its position relative to the screen to create a pattern of “touch points” where the finger touched the screen.

This can be used to reconstruct passwords - regardless of whether they are simple PIN codes or more complex passwords entered via an on-screen QWERTY keyboard.

"The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video ... they see your finger, the password is stolen," Fu said.

The researchers showed off the attack working when applied to Apple’s iPad, a Google Nexus 7 tablet, and an iPhone 5.

Fu and his colleagues will reveal more details of their research at the Black Hat hacker conference in Las Vegas this year - and show off a Privacy Enhancing Keyboard application for Android devices, which pops up a randomized keyboard whenever a password is required, but reverts to a normal QWERTY keyboard when not in use.