Using your iPad in a public place may never be the same again, with news that a new app has been created that allows unscrupulous users to steal passwords from unsuspecting iPad users.

The app, available for iOS devices as well as Apple’s Mac platform, uses a camera to watch which keys are being pressed on the iPad – and it’s even more clever than that.

Rather than just watching where your finger is pressing on the screen, the new app, called shoulderPad, actually detects the brief, blue flash which occurs when a key is pressed on any iOS on-screen keyboard. This means improved accuracy, as well as a further distance from which this works.

Creepy stuff…

According to a blog post by the app’s creator, Haroon Meer, ‘shoulder surfing’ is what prompted the use of the humble asterisk to mask entered passwords, but this new method renders that security measure completely ineffective.

“We rarely talk about it these days, but shoulder surfing is a pretty old (but reliable) attack. This is why most password prompts are masked. Many modern mobiles (and tablets) however will highlight keys pressed on the keyboard making old style shoulder surfing attacks trivial (and reasonably automatable) again.

In an effort to (help) bring back the 90’s we decided to do some fiddling and built a quick app(on top of the awesome OpenCV framework) to automate shoulder surfing against iPads.”

This is also something that could (in theory, at least) be possible using CCTV, which means that our iPad passwords may never be safe again.

A real fix for this would be for Apple to remove the blue flash that is currently associated with the pressing of a key on the iOS on-screen keyboard, though we don’t expect to see that happen any time soon.

While we acknowledge that this is still a rather far-fetched security issue, we want to know: do you feel save entering passwords on an iPad?

  • I always hunch over my iPad/iPhone when entering passwords in a public place that might have CCTV cameras.

  • Dracossaint

    Typo at the bottom it reads “do you fell save” ,just a heads up and glad I own an iPhone hahaha ,I’m “safe”

  • David

    Could Apple not just remove the blue flash on certain keyboards like the lockscreen passcode one or the email one?

  • Neil

    Is it possible to create a program to read your thumb or finger print like my laptop computer ?

  • Bildo

    I think I would be able to tell if someone was up on my nutsack with a camera device while I was typing a password

  • Rob

    I guess the only caveat is the keyboard layout. An automated process would use the key location, so perhaps switching your layout while entering a password could help.

    Also, this is a good argument in favor of a pasteboard built into the copy/paste system, ala action menu via jailbreak. That way there are no keystrokes.

    Also a password manager solves this.

    Of course this is all useless for the unlock screen. I guess there you just have to cover your fingers.

    Of course

  • That’s pretty crazy. There needs to be a tweak that removes the blue glow from the keys.