Shoulder surfing, as the name suggests is the nefarious art of reading a sensitive piece of information over a user’s shoulder. Prime examples include passwords and PIN numbers. So, imagine that individual was a sysadmin with elevated account privileges. One quick shoulder surf and anyone could have the keys to your network in seconds. As the user has little knowledge of it happening, it could be as effective as a spear phishing email.
Cyber security professionals should remember that the bad guys always choose the path of least resistance. They want the greatest return for the least effort and cost. Furthermore, if they can’t get it down one avenue, chances are they’ll try another. This also holds true across the board; so ensure your security is apt to lower risk.
But there’s one important point here. Let’s not forget that cyber criminals work in the physical world too.
Real World Problems
It can be easy to forget that those ‘threat actors’ at the other end of the internet are in fact real people. Therefore, if they can’t infiltrate an organisation by regular means (a spear phishing email or regular phishing), they may instead look to shoulder surf the credentials.
In fact, CESG (now part of National Cyber Security Centre) deemed shoulder surfing harmful enough include it on its updated “10 Steps to Cyber Security” guide for businesses.
Some users will have to work in public open spaces where they are vulnerable to being observed when working on their mobile device, potentially compromising personal or sensitive commercial information or their user credentials.
Let’s remember, this is the advice issued by Britain’s spy agency. And as we all know, it takes one to know one.
Shoulder surfing stress test
At Osirium we provide privileged access management (PAM) and privileged session management (PSM) . Therefore we remove the need for users with elevated privileges to remember passwords. In addition, no credentials are exposed during login for criminals to shoulder surf. Yet many firms are still at risk from this old school tactic. So, we decided to see exactly how easy it would be to shoulder surf using modern technology.
We chose an indiscernible password and used the following kit to help us spy from 25 metres away.
- A key fob camera costing £5.99 from eBay
- GoPro 4 black edition
- iPhone 6, with a well cleaned lens
- A typical compact camera (Sony RX100 Mk III)
- Canon 5D3 with 300mm f2.8 lens
In conclusion, the alarming results should provide food for thought for security bosses everywhere.
Watch our video
To find out more about the research, watch this YouTube video.