Password cracking that bypasses any bruteforce

Nitish ChandanCyber Security

Interesting, is it?

You are in a mall shopping and have to login to your mobile banking portal for some reason. You go to a corner, face a wall and type your password. Wonderful! Nobody can see what you type and you are not worried at all.

Think again now. No, I am not talking about shoulder surfing here, come on! Hackers can now mathematically generate your entered password by interpreting a video of you tapping on your smartphone even if the display is not visible. This has been demonstrated through an experiment at Syracuse University.
The mechanics behind this interpretation is to use “Spatio-temporal dynamics” to measure the distance from the fingers to the phone’s screen to guess the password typed on the phone. One of the co-authors of a paper about this technology, Vir Phoha says that it is like lip-reading. All you need to have and know is a clear video of the user typing and a known geometry and model of the phone.

Insofar, there have been no incidents of hackers stealing passwords using this method. However, the risk is not very far away. With the burgeoning use of mobile banking technology due to its increased accessibility, the vulnerability increases multifold. Developers of this technology have stated that it is very simple to implement for anybody who knows computer programming. Furthermore, if used in the right direction, National Security and Law enforcement agencies could keep track of records of any criminal.

The Syracuse experiments

The Syracuse experiments involved 50 volunteers typing PINs into HTC One smartphones, in a variety of different settings and postures. For each volunteer, researchers shot four different videos. The researchers made the recordings using two off-the-shelf devices: a Google Nexus 5 smartphone camera and a Sony camcorder. All the videos were shot from the side or back of the phone, from 12 to 15 feet away. None of the videos captured the phone screen or explicitly showed what users were typing.

Software filled in the gaps, however, with a combination of image analysis and motion tracking algorithms being remarkably effective at “guessing” the PINs users typed in. On the first guess, the software determined the correct password between 40% and 62% of the time, depending on the quality of the video and the zoom ratio. The highest-quality video produced an 82% accuracy rate after 5 guesses and 94% accuracy after 10 guesses. Using more than one video for each phone raises the odds of success even further.
Originally here


All this happens in the West, with new technologies and smarter internet users. However, in India, we still have the problem of people being very careless about passwords in spite of complaining that the internet world is very unsafe. Just a couple of months ago, I witnessed an IT professional openly reveal his ATM pin to a Pizza Hut attendant while swiping his card for payment. While it may be important to implement high-end technologies to stay safe, without basic internet ethics and safe-usage awareness, there is no software that can protect you.

Password Cracking