Using your iPad in a public place may never be the same again, with news that a new app has been created that allows unscrupulous users to steal passwords from unsuspecting iPad users.

The app, available for iOS devices as well as Apple’s Mac platform, uses a camera to watch which keys are being pressed on the iPad – and it’s even more clever than that.

Rather than just watching where your finger is pressing on the screen, the new app, called shoulderPad, actually detects the brief, blue flash which occurs when a key is pressed on any iOS on-screen keyboard. This means improved accuracy, as well as a further distance from which this works.

Creepy stuff…

According to a blog post by the app’s creator, Haroon Meer, ‘shoulder surfing’ is what prompted the use of the humble asterisk to mask entered passwords, but this new method renders that security measure completely ineffective.

“We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.

In an effort to (help) bring back the 90′s we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.”

This is also something that could (in theory, at least) be possible using CCTV, which means that our iPad passwords may never be safe again.

A real fix for this would be for Apple to remove the blue flash that is currently associated with the pressing of a key on the iOS on-screen keyboard, though we don’t expect to see that happen any time soon.

While we acknowledge that this is still a rather far-fetched security issue, we want to know: do you feel save entering passwords on an iPad?


Leave a Reply