Hacking threats often come from unexpected directions; this latest attack method is a case in point.
SEE HOW to PROTECT your VIDEO Calls from Hackers stealing your Passwords. Go To PrivacyLok.
Security researchers are forever coming up with new and often surprising ways by which your data and systems can be hacked. I recently reported how such researchers were able to spy on conversations some 80 feet (25 meters) away by pointing an electro-optical sensor attached to a telescope at a light bulb. If you think that's extraordinary, prepare to be dumbstruck: researchers reckon they can grab your passwords by watching your upper arm movements during a Zoom call.
Giving new meaning to shoulder-surfing attacks
In a recently published paper titled "Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Inference Attacks," researchers from the University of Texas and the University of Oklahoma explained how they have been able to capture what people are typing during video calls with remarkable accuracy.
How accurate? How does up to 93% grab you? That was the upper limit, though, with 75% accuracy when using a specific and controlled set of chairs, webcams, and keyboards. When it comes to passwords, it was less accurate and more of that in a moment. However, what makes the research so extraordinary is that this video call hacking methodology is not focused on the hands of the caller. Instead, it is upper arm movements that are key to capturing keystrokes. This makes the threat more realistic in a real-world scenario as most of us tend to frame ourselves in a head and shoulders way when using tools such as Zoom, Google Chat, Skype or Teams.
Labs-based attacks are not the same as real-world ones
OK, before I get down to the technicalities of how this attack methodology works, let me start by saying that as with all lab-based experiments, things can be harder to pull off successfully in the real world. Sure, the accuracy metrics are impressive enough under lab conditions, but that doesn't mean that a hacker could replicate this against every target. Indeed, that 75% accuracy rate achieved in the lab dropped to about 20% when the environment wasn't closely controlled.
And talking of targets, unless you are an individual of particular interest for whatever reason, it's highly unlikely anyone would use such an attack against you. Not that they could, of course, as this is all research, and the software algorithm used is not out there in the hands of actual attackers.
However, it does remain a fascinating piece of research, and the threat model does have the potential to be yet another weapon in the armory of those who would compromise your systems and steal your data. "Keystroke inference attacks can have potentially dangerous consequences as the text typed can often be private in nature," the researchers state in their paper, "and can sometimes even contain sensitive information, such as credit card numbers, authentication codes, and addresses."
Keystroke inference attacks explained
So, with all that in mind, what is a keystroke inference attack when it's at home or in the lab, for that matter? Simply put, any attack method that infers what a user is typing by way of a side-channel, as in something other than looking at their hands and fingers at the keyboard. In the case of this research, Newton's third law of motion was used: whatever your personal typing style, when you press a key, a 'reaction force' in the opposite direction is produced.
This force then moves from the fingers on the keyboard all the way to the shoulder muscles and joints, which absorb it. This force creates small and subtle, but measurable, movements of the shoulders. Because each finger, connected by different wrist bones with different joints in the Carpus area, the researchers write, "the reaction force of a keystroke propagates slightly differently through the arm and shoulder muscles and joints, depending on which finger was used to press the key."
These visual differences can reveal the direction in which someone is typing, moving from one key to another, ultimately revealing what was typed using an algorithm that cross-references them with dictionary word-profiles. So, the attack would require someone to either be on the call you are making or to have hacked into it so as to be able to record the video. That video needs to be of suitably high resolution for the software to be able to calculate correctly when it is run through it.
How much danger are your passwords in?
When it comes to passwords, the software correctly calls them 75% of the time if they were included in the reference database of one million commonly used passwords. However, people using strong passwords, randomly generated ones, unique passphrases, and so on should be pretty safe for now. Only 18.9% of passwords were successfully recovered across the entire research as the software couldn't recognize those 74% of 'words' that were not in the reference database.
The researchers do point out that while they only used the video feeds in their keystroke inference testing, combining this with audio feeds could further improve detection as sound can also be used as an effective side-channel.
Given that anything obscuring the target's shoulder and arm framing can dilute this attack method's success, mitigation techniques could include letting your hair grow very long, having a close up of your head only, or even wearing wired headphones that drape across the area. Then, as the researchers point out, there's the ambient lighting to consider as well. "Significant ambient lighting changes (during typing) also disrupt the efficacy of our prediction," they said. Oh, and "significant user movements while typing." I should be OK then as I have both a rolling office chair and great difficulty keeping still in it.
Seriously though, while all of this is truly fascinating for anyone interested in technology, and cybersecurity in particular, there are far greater risks that you need to worry about. As always, get the basics right and you mitigate the most meaningful threats out there. So, use strong and unique passwords that are not shared between services, apply two-factor authentication wherever you can, keep your software and operating systems up to date.