Shoulder Surfing: a Worrying Gap in Your Cyber Defences

Published: 17 April 2015

Andy Harris

By Andy Harris

One of the most important mantras for any cyber security professional, consumer or even law enforcer to remember is that the bad guys will usually choose “the path of least resistance”. They want the maximum return for the minimum effort and cost, and if they can’t get it down one avenue, chances are they’ll try another. By and large this rule of thumb holds true across the board – so ensure your defences are better than average and you stand a good chance of being left alone.

But there’s one important addendum. Let’s not forget that cyber criminals operate in the physical world too.

Real world problems

It can sometimes be easy to forget that those “threat actors” at the other end of the internet are in fact real people. And true to the mantra, if they can’t find their way into an organisation the conventional way – via a malware-laden spear phishing email, or a regular credential-harvesting phish – they might instead look to compromise user credentials via some old-fashioned shoulder surfing.

Shoulder surfing, as the name suggests is the nefarious art of reading a sensitive piece of information like a password or PIN, from over a user’s shoulder. Imagine if that individual was a systems administrator with elevated account privileges? One quick shoulder surf and a criminal gang could have the keys to unlock your network within seconds. As the user has little or no knowledge of it happening, it could theoretically be as effective as a spearphishing email.

In fact, shoulder surfing is a valid enough threat to corporate information security that CESG – the information assurance arm of GCHQ – recently included it on its updated "10 Steps to Cyber Security" guide for businesses.

It warned:

"Some users will have to work in public open spaces where they are vulnerable to being observed when working on their mobile device, potentially compromising personal or sensitive commercial information or their user credentials."

Let’s just remember, this is the advice issued by Britain’s spy agency. And as we all know, it takes one to know one.

Shoulder surfing stress test

At Osirium we provide privileged user management and privileged session management technology, which removes the need for users with elevated privileges to remember or use passwords – so there are no credentials exposed during log-in for criminals to shoulder surf. However, many firms are still at risk from this decidedly old school tactic. So we decided to see exactly how easy it would be to shoulder surf using modern technology.

We chose a hard-to-distinguish password and assembled the following kit to help us spy from 25 metres away.

  • A keyfob camera costing £5.99 from eBay
  • GoPro 4 black edition
  • iPhone 6, with a well cleaned lens
  • A typical compact camera (Sony RX100 Mk III)
  • Canon 5D3 with 300mm f2.8 lens

The results were pretty concerning, and should provide food for thought for security bosses everywhere. To find out more about the research, watch our YouTube video or visit the full report here:-

Release Date: 
Friday, 17 April 2015
Article Type: 
Blog Post
Andy Harris