by Andy Harris
Shoulder Surfing is the art of reading a password from a screen or as it is typed from over the victim's shoulder. Its actually quite difficult to do un-aided, particularly if the password appears quickly or the intended victim is a fast typist.
In some recent commercial papers we were asked what we do to combat shoulder surfing. Since we separate users from passwords the answer was obvious, however we got to thinking about why a customer would be worried about shoulder surfing, and how would modern technology make this more of a threat. More to the point does it affect the implementation of Privileged User Management.
We assembled the following kit:
We chose a password of PaS5word. The logic being that the 'S' and the '5' could be hard to distinguish and that it would be possible to miss the '.' at the end due to resolution failures. In terms of typing, this password requires two uses of the shift key. As a matter of small interest we found that a trained typist used the 'Caps-Lock' key instead of the 'Shift' key.
The first test target was a Dell 15.4 inch 1920x1080 resolution laptop running Windows 8 and Office. The passwords were placed in an Excel spreadsheet at the Default settings. This meant using the 11pt Calibri Font. We made a second version in Courier 11pt since this is another common default. Our second test target was a iPad 2 with the password displayed as an email.
We then set about making a series of rough tests just to see what could be done, this gave us the approximate limits for each device. Previously we'd made enquiries with a couple of len hire companies who suggested that we'd be needing 1000mm+ lens to achieve any kind of distance, however our initial DLSR tests showed that we'd need a fair sized space for the final tests.
We found an office that could give us a full 25metre distance from camera to victim and set about finding the limits of each technology:
This has an 800x600 resolution, we expected to get about 0.5m but in the event only achieved 0.3m (laptop), which means you need to be stting on the victim's desk to get a result. The keyfob camera kept crashing during the video tests so the results are not shown.
Results against the iPad were much better, this is because the iPad uses more pixels to display each character, even after aliasing issues and lens blur its easier to read the password. In fact across the board it was easier to read a password from the iPad than the laptop.
We didn't hold out much hope for this, since its a fixed wide angle lens, however in the actual tests we were getting a full 2m, the quality of the image/video also helps with the readability. We considered that a GoPro is easy to hide and has a great remote control facility, although its range would be within the office. The GoPro was the first device that we used to video a password being typed. Here we found that over the shoulder was not a great position. This is because other fingers often occlude the finger making the keystoke. Directly above the keyboard worked better, but even better still was to the side of the victim. The GoPro has a very useful 120 frames per second video rate that allows the video to be viewed at a very slow speed yet still retain quality and smoothness.
On the issue of typed passwords, even though a video may not show every key pressed, for the ones that cannot be read, the probability can be reduced to 2-5 keys because you know what area of the keyboard a finger moved in.
We had high expectations that the iPhone 6 would be a great stealth shoulder surfing tool. In actuallity its a fixed wide angle lens that uses a digital zoom. This means that zooming in reduces the number of pixels in the final image. So we found that native wide gave the best results. We couldn't do any better than 1.5m, but at 1.0m the image quality was pretty good (but not upto the standard of the GoPro4). Again the high frame rate on the video made typing easy to read. We found that the small lens and sensor size meant that camera shake was a real issue, for best results we wedged the iPhone against anything we could find to make it steady - hardly a stealth approach!
This this has a combination of optical and digital zoom, so it fared much better in testing. The issue of camera shake returned at the longer zooms. You'll see the results in the video which, for fairness were made handheld.
Based on the previous tests and hire companies sucking of teeth we didn't expect the order of magnitude better results that we found. Initially we used a cheap x2 convertor with the 300mm lens, however we found that the optical distortions gave too much blur and flare for readable results. With the 300mm f2.8 stopped down to f5.6 we got clear passwords at 25m. We made a range of tests at different ISO settings, we found that since the laptop screen is a light generator we didn't need to go to the high ISO settings, ISO 800 was perfectly adequate.
Its worth noting that the DLSR tests were made using a heavyweight rigid tripod, we felt this was fair since if someone would go to the length of using a 300mm lens, they'd use a tripod. On the video you can see the slightly shaking effect as people walked around the office near to our test position.
At distance, video was difficult, this was due to the shallow angle between the camera and the victims keyboard. However if the camera was one floor up and could get a view down on a keyboard the results would be effective
Once again the iPad was easier to read, the results in the video were gained at 15m, but that was because we couldn't get any further away in the restaurant location.
|Tech||Distance to Screen||Distance to Keyboard|
|Go Pro4 Black Edition 4K||2.0m||3.0|
|Compact Camera (RX100 Mk III)||3.0m||4.0m|
|DLSR Canon 5D3, 300mm f2.8||25.0m||15.0m|
Quite simply one should be worried about the potential for shoulder surfing, at 1m an iPhone is both silent and effective, a compact camera would work across an office, and a DSLR could work between buildings in cities. Solutions that display passwords for cut and paste operations would certainly be at risk. Osirium does not display any passwords in normal use, however this research has led us to change the way that we do breakglass.