Hackers could be able to guess your passwords and much more by analysing your body position whilst on a video conferencing call, experts have claimed.
The way people move their shoulders when typing on Zoom calls can betray what keys they are pressing, allowing hackers to potentially identify specific entries, according to researchers from the University of Texas at San Antonio.
The team found that when analysing clips of upper arm movements, they could reconstruct the keys people had pressed in Zoom with around 93% accuracy – with Skype and Google Hangouts (now Google Chat) also affected.
“From a high-level perspective, this is a concern, which obviously has been overlooked for a while,” report author and assistant professor of computer science at the University of Texas at San Antonio Murtuza Jadliwala said.
“And actually, to be really frank, we didn’t start this work for COVID-19. This took a year…But we started realizing in COVID-19, when everything [is in video chat], the importance of such an attack is amplified.”
Jadliwala told Fast Company that the issue was down to the stream quality used in video conferencing services, and particularly the movement of pixels in high-quality streams seen in the likes of Zoom.
His team was able to analyse the subtle pixel shifts around someone’s shoulders when typing to spot when the user was moving in one of the four main directions – north, south, east, and west. This is important as when typing a specific word, a user will move around the keyboard in one of these directions to press different keys.
Using this information, the researchers were able to create software that was able to cross-reference these movements with “word profiles” that used an English dictionary to turn the sequence of movements into potential words.
The team noted they they were able to discover these results without the use of any particularly sophisticated machine learning or AI technology, showing how easy it could potentially be for hackers to exploit.
They did encounter some issues when testing the software, noting that in a lab setting, the average accuracy was around 75%. The system also seems to struggle with long sleeves rather than short sleeves, and sometimes had trouble with subjects who had long hair covering their shoulders. Slow typers were also surprisingly harder to track, and lighting was also found to play a role.
However Jadliwala was still keen to note that the vulnerability could be expanded upon and exploited, and urged vendors such as Zoom to ensure its users are protected.
“A lot of times, the way responsible [security] research works, if I find a problem with Zoom or Google’s software, I’m not going to even publish it. I’m going to contact them first,” he noted. “But our research is not Zoom or Google specifically. They cannot do anything about it at the software level in some sense.”