Password may leak on Zoom and Skype calls — What to do

Password may leak on Zoom and Skype calls — What to do

The person you are videoconferencing with on Zoom, Google Hangouts, or Skype may be able to guess your password from the small arm and shoulder movements you make while typing, researchers have noted.

"If video call participants are not careful, they may reveal personal information to other participants in the call," according to the academic paper "Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks," an academic paper entitled "Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks. [Mohd Sabra and Murtuza Jadliwala of the University of Texas at San Antonio and Anindya Maiti of the University of Oklahoma say that any video conference can be subject to this attack as long as the meeting is recorded. And any kind of personal information entered could be revealed.

"Adversaries may also be able to target videos obtained from public video sharing/streaming platforms such as YouTube and Twitch (or archived videos of live expos/events)," the research paper notes. All an adversary needs for an attack is a video stream."

The attacker needs to record the meeting or stream, and the webcam used needs to be high-resolution. (4K video has not been tested, but would probably work even better.)

But after that, it is just a matter of cutting off the background, creating a reference point focused on your face, and running the video through a computer program that measures the movement of your arms and shoulders relative to your face.

It doesn't matter whose face it is; your hands or computer keyboard need not be visible. [This is a practical assumption because desktop and laptop webcams are often centered to the user.

Once that is done, the program analyzes the differences in arm and shoulder position frame by frame. It can determine quite accurately which keys on a standard QWERTY keyboard are being hit. It then compares the results with a long list of thousands of English words and commonly used passwords.

In a controlled environment with only a few office chairs, webcams, laptops, and keyboards, the program was about 75% accurate when 20 subjects typed any of 300 preselected pieces in random order.

When subjects typed whatever they wanted in an uncontrolled environment on their home machines, accuracy was only about 20% for both random words and passwords.

However, if the subject's password happened to be one of the million most commonly used passwords, the program guessed it correctly about 75% of the time.

Also, if the program already knew the person's email address or name, it could guess it more than 90% of the time when the person typed it in, and when the password was entered shortly thereafter.

So how do you keep your fellow Zoom meeting participants and those watching you on Twitch and YouTube from knowing what you are typing? The researchers have several suggestions:

The program worked better when subjects wore sleeveless shirts than when they wore short- or long-sleeved shirts.

Long hair over the shoulders ruined the test results. Scarves may also work.

The program had more difficulty detecting words typed by touch-typing with 10 fingers than it did words typed by the hunt-and-peck method with two fingers; "hybrid" typing, which uses two to six fingers, was somewhere in between.

Detecting shoulder and arm movements was difficult when the entire body was in motion.

The program did not work well when there was little contrast between the subject's body and the background.

This would naturally make it harder to detect minute movements.

Word-guessing programs have a more difficult time with missing frames because they need to compare one frame of video to the next. The researchers suggested that videoconferencing software makers allow for frames to be randomly missing as conference participants type.

.

Categories