Think I found a new security issue with the IPad (or any tablet computer for that matter). And I can only call it Password Silhouetting.
We are all familiar with shoulder surfing. Particularly when flying. Laptops without a polarized lens on it are quite easily seen from two or three rows behind you while you type away at 36,000 ft. The amount of confidential company information, that was so carefully protected so only the authorized user was able to access it, is being worked on in an environment that could not be worse from a security stand point. Tight quarters, prying eyes, business folks who may or may not be friendly.
Personally, I have seen almost weekly presentations being worked on for confidential clients (I know who the client is, who is making the presentation, what the content is, etc.). Truth: actually saw a businessman work out the layoffs he was about to commit to. I could have capitalized on that information.
But even with shoulder surfing, the prize jewels, the UserID/Password, was always somewhat hard to see, particularly the password. The user’s hands are on the keyboard and the password field is masked, so I can get the userID, but unless I can sight read the finger keystrokes, I am left without the password. Some passengers check email after landing, so I can also observe the email box they are working with.
But last night I saw my first evidence of a new security issue around tablet computers I had not thought of before. We were coming in after 11:30 PM into Newark (don’t ask, successful, but long day). The tray tables were up, we were buckled in, and the cabin lights had been dimmed. Never sure why they do that; always seemed to be unnecessary to dim the lights, the pilot is sealed into the front cabin. And if there was an emergency, we would be in the dark until someone turned on the light.
But I digress.
We land, with the cabin pretty dark inside and roll to a stop. We get the obligatory “Let us be the first to welcome you to Newark…” near midnight speech and the all clear to use electronic devices. And that just what one road warrior in the front row facing the bulkhead did. Showing he’s more cool than the rest of us, he fired up is iPad and logged into his email and corporate network.
But what he did not realize was he was showing the entire cabin his login credentials, which I caught a part of on my camera as I was checking my phone for messages.
You see, one of the great features of iPads and their kind is the very advanced and very bright backlit screens. And in this dark cabin, the bright screen light up and projected an inverted mirror image of the tablet screen on the bulkhead just in front of him. Granted it was not very clear, but I could tell he was opening a browser and typing a URL, then typing in a user ID and password.
And because the keyboard now rides on the bottom half of the tablet’s screen, the passenger was giving us a finger shadow show of him logging into his email. The grey silhouettes of his fingers moving back and forth as the plucked out the user’s credentials. Granted, it was not an exact science, but here I was, nearly five rows back and I could capture it all on my cell phone video.
Later on, I can replay that video, flip it to remove the mirroring of the image, and I would have a pretty clear show of the finger movements needed to log in. I may not have whether is was a ‘t’ or a capital “T”, but I would be starting my hack with a lot of starting information to cut down the time to brute force attack the user’s site. Just check his bag tags for any company identifier and I could start figuring out what system the man just logged into.
So, I call it silhouetting, a form a shoulder surfing, that can broadcast your credentials not only to the guy behind you, but the entire section of the plane. It would help more if they were by a window to enhance the reflection surface. I could easily get the screen and the typing motions from many feet away.
Leave a Reply