People you're video-conferencing with on Zoom, Google Hangouts or Skype might be able to guess your passwords, researchers say, due to the tiny arm and shoulder movements you make while you type.
"If a participant in a video call is not careful, he/she can reveal his/her private information to others in the call," states the academic paper "Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks (opens in new tab)."
- Zoom security issues: Here's everything that's gone wrong (so far)
- The best Zoom alternatives for video conferencing
- New: Microsoft Teams is getting a killer feature Zoom can't match
Any kind of video conferencing is vulnerable to this attack, as long as the meetings can be recorded, say Mohd Sabra and Murtuza Jadliwala of the University of Texas at San Antonio and Anindya Maiti of the University of Oklahoma. And any kind of typed private information can be revealed.
"An adversary could also potentially target videos obtained from public video sharing/streaming platforms such as YouTube and Twitch [or] archived videos of live exposition/events," the research paper noted. "All an adversary needs for the attack is a video stream."
How this all works
The attacker would need to record the meeting or the stream, and the webcam used would have to be high-definition, with 1080p resolution better than 720p. (4K video was not tested but would likely work even better.)
But after that, it's just a matter of feeding the video through a computer program that chops out the background, focuses on your face to create a reference point and then measures the movements of your arms and shoulders relative to your face.
Whose face it is doesn't matter, and your hands and your computer keyboard do not need to be visible.
"We assume that both shoulders and upper arms are within the field-of-view of the webcam," the paper says, "which is a practical assumption because desktop and laptop webcams are often positioned centrally with respect to the user."
Once that's done, the program analyzes the differences frame-by-frame in the positions of your arms and shoulders. It can pretty accurately tell which keyboard keys you're hitting on a standard QWERTY keyboard. It then compares its results against a long list of thousands of English words and commonly used passwords.
75% of the time, it works every time
In controlled settings with only a few possible office chairs, webcams, laptops and keyboards, and with 20 test subjects typing one of 300 preselected works in random order, the program was about 75% accurate.
Wen test subjects were on their machines at home in uncontrolled settings and could type whatever they wanted, accuracy was only about 20% for both random words and passwords.
However, if a test subject's password happened to be one of the 1 million most commonly used passwords, then the program accurately guessed it about 75% of the time — just another argument for using strong, secure passwords as well as one of the best password managers.
And if the program already knew the partcipants' email address or name, then it was better than 90% right at guessing when the person typed that in — and when a password would immediately follow.
How to keep people from Zooming in on your passwords
So how can you stop your fellow Zoom meeting participants, or people watching you on Twitch or YouTube, from telling what you're typing? The researchers had several suggestions:
The program did better when the subject was wearing a sleeveless shirt than one with either short or long sleeves.
Put something over your shoulders
Long hair over the shoulders messed up the results in the test, and so did headphone wires. A scarf might work too.
Learn how to touch-type
The program had a harder time detecting words that were touch-typed with 10 fingers than words that were typed using the two-finger hunt-and-peck method. "Hybrid" typing that uses 2 to 6 fingers was in-between.
Sit in a chair that rolls or swivels
It was harder to detect shoulder and arm movements when the whole body was moving around.
Use dim lighting
The program didn't work well if there wasn't much contrast between the subject's body and the background.
Blur or pixelate your video stream
This would naturally make minute movements harder to detect, although it wouldn't make you look very good.
Skip or drop frames
The word-guessing program needs to compare one frame of video to the next, so if frames are missing, it has a more difficult time. The researchers suggested that video-conferencing software makers could make sure frames are randomly dropped when meeting participants type.