A close up of someone using a mobile phone

Cyberspies eye boom in opportunities

The risk of attack by cyberspies is increasing and thanks to emerging technologies it’s harder than ever to keep passwords away from prying eyes.

Don’t look now, but someone’s spying on you. Are spooks bugging your conversations? Could secret agents be tailing you in that unmarked car? Or is there a minuscule hidden camera in that gentleman’s signet ring?Much more real than all these James-Bond-like scenarios is the threat of cybercrime. Spying has changed: instead of focusing attention on high-value individuals, cyberspies now constantly snoop on millions of us simultaneously, searching for holes in our online security. Once you develop any kind of digital existence, from an email login to an Amazon account, you’re a target. The hackers don’t care who you are - but their constantly-evolving methods put you at risk.

Technology trends affect our exposure. Ofcom figures show that over a quarter of UK adults and half of teenagers now have a smartphone, using them to send more texts than owners of basic mobile phones. But despite their convenience, smartphones open the door to new forms of cybercrime. On phones, we tend to avoid complex passwords - the very kind that experts advise we ought to be using when we log into accounts and make purchases online. It’s usually because typing in special characters such as ‘%’, as well as numerals, requires switching among multiple keyboard layouts on smartphones - and we just don’t want to.

Computer vision scientists at the University of North Carolina have revealed a surprising new way to compromise smartphone security. In work presented at the Conference on Computer and Communications Security in Chicago they showed an effective way to snoop on every word typed on a person’s smartphone screen.

From up to 60m away, scientists Fabian Monrose and Jan-Michael Frahm were able to reconstruct a message typed on the screen from video footage. “We found it was possible to automatically recover typed text, from reasonable distances, even using low-budget equipment,” says Monrose. “It’s a worrying finding because it’s not easy to defend against this threat.”

The project, dubbed iSpy, relied on the virtual keyboard that smartphones like the iPhone employ for convenience, which pops-up each letter at a larger scale as you select it. By capturing images using an off-the-shelf video camera, then stabilising the images and analysing them, Monrose and colleagues successfully intercepted complex sentences.

At such distance, it was a challenge to work out which one of adjacent letters had been typed. “The low resolution and the noise in the images can make the process prone to errors, if the approach isn’t robust,” explains Monrose. iSpy fed the image data into a program that uses language models to calculate probable meaning depending on context - to an impressive 90 per cent accuracy.

iSpy a threat to security

The findings confirmed the team’s initial suspicion that modern computer vision techniques could threaten mobile phone security. But even they were surprised at the efficacy of iSpy. When the human eye would struggle to make any sense of low-resolution images, iSpy still had little problem in quickly detecting the text typed. The team managed to decode messages captured surreptitiously on a moving bus, and also from screens seen in the reflection of the user’s sunglasses, at up to 12m away.

Because of the rapid, automated nature of iSpy’s process, it would theoretically be possible to spy on multiple phone screens from a single video. “Although we’ve not tested this specifically, we believe our techniques can be scaled to scenes with large numbers of people - assuming, of course, you are able to grab video of the screens of each device,” confirms Monrose.

That scenario might be some way in the future, but it illustrates the ever-escalating struggle between hackers and users. And however virtual the attack of a cyberspy, it’s nonetheless always painful to be a casualty. My gmail account was compromised a few months ago when hackers learned my password. They sent a pleading message to my contacts, telling them I’d been mugged in Spain. Before I regained access to the account, a kind-hearted friend had sent hundreds of pounds directly to the scammers. I also lost months of ‘sent’ email - the one part of my electronic data that wasn’t regularly backed up.

There are many, many similar stories. Mat Honan, a staff writer at Wired magazine who you might expect to be immune from such things, recently had his digital identity stolen, his email, iPad and laptop wiped, his Twitter account hijacked, and all the photos of his daughter’s first year deleted. That’s a really bad day at the office.

Honan freely admitted he could have protected himself better by using tricks like two-layer authentication. This system, favoured by Google, protects your account by requiring a second password in the form of a numeric code sent to your mobile phone when you login. Two-layer authentication would have entirely protected me from my scammers - and I now have it fully enabled.

But the attack on Honan was different - hackers managed to put together details from his life, including the last four digits of his credit card, which ultimately enabled them to gain access to his accounts. Apple released login details to the hackers, believing them to be Honan himself.

And it’s often human factors like this that are a weakness in security systems. Much personal information can today be reconstructed from data legitimately available on the Internet, rendering the idea of ‘secret questions’ like ‘what is your mother’s maiden name?’ invalid as an indicator of authenticity.

Being password secure

Security and convenience are at opposite ends of the spectrum when it comes to choosing a memorable password, and we are sometimes our own worst enemies. The password that the hackers used to access my gmail was one I had used on many sites for many years (oh, the shame!). A small site with weak security, that didn’t store the passwords in a ‘hashed’ or coded form, could easily have been breached. All it would take is for someone to use an automated program to try all the usernames and passwords for a valid combination. This would then be forwarded to a real human being to see whether it gave access to anything interesting.

At Cambridge University, Joseph Bonneau has been studying password security, making findings he described as ‘troubling’ in a paper presented at the 2012 IEEE Symposium on Security and Privacy. Uniquely in this research, Bonneau obtained with permission the passwords of nearly 70 million Yahoo! users - the largest-ever reliable dataset - and protected individuals’ privacy by hashing the information.

Bonneau’s research confirmed that generally we’re pretty poor at coming up with passwords that will survive even the most rudimentary attack. More worrying still, people didn’t even tend to use a trickier password when they were protecting a sensitive target such as a bank account. While over-55s chose slightly better passwords, users between the ages of 13 and 24 were more likely to use vulnerable passwords than any other age group.

“People tend to choose passwords that are relatively easy to guess,” says Fabian Monrose. iSpy, for example, was able to recover passwords remarkably easily, even though it relied on contextual information to help it. Users must have been choosing simpler words and ideas as passwords - instead of random strings of characters.

Yet, other work by Bonneau and colleagues shows that passwords still have a lot to recommend them in terms of the ever-desirable convenience. One day perhaps we’ll scan our irises or fingerprints while logging in, but deploying new hardware to allow this is a remote possibility for now.

The benefits of using a smartphone do outweigh the risks, agrees Monrose, who still carries an iPhone. However, he considers iSpy’s snooping success shows it’s a real and present danger. Would James Bond and other international spies appreciate the value of an iSpy gadget to outwit their latest foe?

“Who says Bond doesn’t already have one?” quips Monrose.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close