Google Glass isn't just a way to show the world you're both technology savvy and fashion illiterate, it may also be a handy way to snoop PINs and other passcodes.
Many wearable devices, including smartwatches, contain small cameras, and those cameras can inconspicuously record any users around them and use special software to decode almost anything a user types into a keypad, says Xinwen Fu, an associate professor of computer science at the University of Massachusetts, Lowell.
"With the Glass and smartwatches, people are always wearing it. They don't need to get a phone out and hold it in your face and record you," Fu says. "They can just record you all the time without any outwardly suspicious actions."
Fu and his team have managed to hack Glass units to track the movement of users' fingers as they type in their PINs on iPads, ATMs and other devices.
"From the movement of your finger, the attackers could discover your password or your PIN," Fu says. "Whenever you touch the screen, we can figure out where you touch."
That means that a Glass user could, in theory, stand behind you in line at the ATM and easily snoop your ATM PIN with a very high degree of accuracy, even if they couldn't see your finger touch the individual keys.
Most of the reporting on Fu's research so far has focused on the PINs used to lock many mobile devices such as iPads, but the technology could just as easily be used to snoop out anything typed on a QWERTY keyboard, including a victim's mobile banking or other password, Fu says.
"We actually have a success rate of 90 percent to recover 4-digit PINs and also passcodes typed on QWERTY keyboards," Fu says.
Thankfully, because of the weak lenses found on many wearables, the range of this technique is limited, Fu says. However, a more powerful lens, like those found on a good camcorder, can snoop ATM PINs from up to 100 meters away, far enough that a snooper could potentially hide in a building across the street.
Google downplays the issue
In response to an article in Wired highlighting Fu's research, Google pointed out that the screen lights up when Glass is activated:
"Unfortunately, stealing passwords by watching people as they type them…is nothing new," a Google spokesman wrote in a statement. "We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device."
But Fu says that doesn't necessarily have to be the case.
"The Glass uses Android, which is open source. You can disable anything you want. You can just turn off the display, and nobody will see you," he says.
Technology moving faster than passwords' security
Fu isn't saying that wearables are inherently bad (or planning on using the techniques he's developed to make extra cash).
"They are good. They will make our lives easier, and they will be ubiquitously deployed, but we just want to show people, with the benefit comes a danger," Fu says. "So we have to be careful, especially with mobile banking."
Until we find some other way of authenticating our identity in mobile banking that goes beyond typing into a keyboard, you may want to step into a private area to type in your password for mobile banking or other financial services, he says.
"Do not do mobile banking in public. That's too dangerous," Fu says.
What do you think? Do you feel freaked out when you see someone wearing Google Glass in public? Do you ever worry about someone snooping your passwords or PINs? For more information on mobile security, check out our mobile finance hubpage.
Follow me on Twitter: @ClaesBell.