Stealing Passwords by Observing Hands Movement

The use of mobile phones in public places opens up the possibilities of remote side channel attacks on these devices. We present a video-based side channel attack to decipher passwords on mobile devices. Our method uses short video clips ranging from 5 to 10 s each, which can be taken unobtrusively from a distance and do not require the keyboard or the screen of the phone to be visible. By relating the spatiotemporal movements of the user’s hand during typing and an anchor point on any visible part of the phone, we predict the typed password with high accuracy. The results on a dataset of 375 short videos of password entry process on a Samsung Galaxy S4 phone show an exponential reduction in the search space compared to a random guess. For each key-press corresponding to a character in the passwords, our method was able to reduce the search space to an average of 2–3 keys compared to ~30 keys if one has to guess the key randomly. Thus, this paper reaffirms threats to smartphone users’ conventional login in public places and highlights the threats in scenarios such as hiding the screen that otherwise gives the impression of being safe to the users.