Google Glass App Can Steal Others' Passwords

Google Glass. Credit: Lisa Eadecicco

(Image credit: Google Glass. Credit: Lisa Eadecicco)

Google Glass makes a lot of things easy: multitasking. Pretending to listen while people talk to you. And stealing people's passwords.

It's far easier than it might sound: Google Glass's videocamera can be used to record every time someone near you enters a password into a computer or phone or a PIN into an ATM machine. But a group of researchers have now made it even easier, with an app that automatically recognizes when the camera has witnessed a password, and uses advanced pattern recognition techniques to replicate that password.

MORE: 7 Scariest Security Threats Headed Your Way

At the Black Hat security conference in Las Vegas, Nevada, Qinggang Yue of the University of Massachusetts Lowell presented a new method for teaching Google Glass (and other devices) to recognize when a video contains a clip of someone typing a password, and how to replicate that password—even when the screen itself isn't visible in the video feed.

This isn't the first attempt to take video footage and recreate what someone in the video is typing. But other so-called "computer vision techniques" correct for any errors in their visual recognition using language models — essentially using autocorrect on their findings to more accurately replicate the original typed text.

But this doesn't work with passwords, which aren't usually (or shouldn't be!) real words. Yue says he and his colleagues developed this technique especially for recognizing and reproducing passwords.

Don't have a Google Glass? No problem! The researchers have developed apps using this technique for iOS and Android, and a desktop version that can be used via a webcam. Yue even says a smartwatch could do it, so long as it's equipped with a video camera.

The technique works by first identifying which device the person in the video is using to type their passwords: an iPhone, an iPad, a Nexus tablet, etc. It then uses the known dimensions of that device to calculate where on the screen the keys will appear.

The camera doesn't even need to be able to get a clear visual of the keys being pressed. Say you're using Google Glass to watch someone type a passcode into a touchscreen device, like a smartphone or tablet. The app maps that screen to determine where the keys on a "qwerty" keyboard are most likely to be located. It also tracks your target's fingertip as he or she taps the screen.

Using just this information, the app is able to recreate the passcode or other text that your target just entered.

So what can you do to protect from this kind of attack? The researchers have an answer for that too: the Privacy Enhancing Keyboard, an Android app that creates a randomized, non-QWERTY keyboard for entering passcodes and other sensitive information. Using a keyboard where all the keys are out of order sounds really annoying, but it'll also prevent Google Glass snoops with this app from being able to piece together your passwords.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.