Have you heard of Zoom Snooping?
Researchers say they can extract keystroke data from participants in a video call simply by tracking shoulder movements. A recently published study warns malicious players might use the technique to deduce personal passwords & proprietary business information.
A group of University of Texas researchers published a technical brief on what they say is a reliable framework – using shoulder movements (PDF) – that can ascertain what someone on the other end of a Zoom, Microsoft Skype or Google Hangouts video call is actually typing.
Researchers led by Murtuza Jadliwala, set out to determine, “can an adversary, who is at one end of a video call, infer some potentially sensitive information about the participant at the other end which is not trivially visible/audible from the call?”
In a controlled test with a limited number of words, researchers averaged about 75% accuracy when it came to spying on participants.
Control factors included specific chairs, keyboards & webcam. Effecting accuracy, researchers noted, were determinants such as long hair, long sleeves or slow “hunt & peck” style typing.
“Being security/privacy researchers, & heavy users of such applications ourselves, we wondered what non-obvious private information one (with bad motives) can infer by being on the other end of such call/conference videos.” Jadliwala explained.
Can Your Shoulders Reveal What You Are Typing?
Most users are typically doing other things while participating in video calls & a lot of those tasks involve typing.
“This observation led us to investigate if it was indeed possible to infer what someone is typing by just observing the upper body of the user (in a video call),”
Jadliwala said. “One of the reasons our attack framework targets image frames (in the video call) containing upper body/shoulders of the user is because that is the only portion of the body that is typically visible in most video calls.”
Small Pixel Shifts
He reported his team was able to read small pixel shifts on high-definition video around someone’s shoulders & upper arms, to see if their movements were headed either North, South, East or West. From there, the team could map keystrokes on a QWERTY keyboard to make inferences about the text.
While the technology is still experimental & needs work, the sheer volume of work, school & social life being done on high-definition video calling platforms is driving cyber-security researchers to take a tough look at their vulnerabilities.
Public-Interest Technologist Bruce Schneier recently highlighted the research on his blog, writing the, “Accuracy isn’t great, but that it can be done at all is impressive.”
Video Conferencing Faces Big Security Challenges
Video conferencing platforms have struggled recently to keep up with the security demands of their increased user base. Zoom “bombings” were an early issue, where people interrupted meetings with hate speech, pornography or otherwise jarring or inappropriate content, which went live on national tv during 1 particular Zoom hijacking incident during a US House Oversight Committee hearing last April.
Zoom was sued for saying it provided encryption users said was not there. The company later announced it would provide end-to-end encryption, but only for its paid subscribers but was later pressured to roll E2EE for basic users too.
In early Oct., Cisco’s Webex, another popular, high-definition video conferencing platform issued patches for 3 “high-severity” flaws & 11 “medium” severity ones for its conferencing system’s video surveillance IP cameras & Identity Services Engine network admin software.
Users who are worried about their keystrokes being mapped over video conferencing can take a few simple steps to protect their data, according to Jadliwala & his team.
1st use existing tools to blur the background during calls. The researchers experimented with blurring & found it cut their ability to decipher words from 65% down to as low as 13%.
“These results show that blurring is an effective mitigation technique, which imposes little efficiency & quality overheads,” the report commented.
Pixelation & frame skipping, much like blurring, were also effective at mitigating the team’s ability to read keystrokes, according to the report.
Jadliwala adds there is no reason for alarm & no threat attempts using video conferencing to interpret keystrokes have been seen.
“However,” he concluded. “It is good to be informed about such threats as a user of such video calling/conferencing applications.”