Zoom and Skype calls can leak your password — what to do

best free zoom backgrounds
(Image credit: Zoom)

People you're video-conferencing with on Zoom, Google Hangouts or Skype might be able to guess your passwords, researchers say, due to the tiny arm and shoulder movements you make while you type.

"If  a  participant  in  a  video  call  is  not careful,  he/she  can  reveal  his/her  private  information  to  others in  the  call," states the academic paper "Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks."

Any kind of video conferencing is vulnerable to this attack, as long as the meetings can be recorded, say Mohd Sabra and Murtuza Jadliwala of the University of Texas at San Antonio and Anindya Maiti of the University of Oklahoma. And any kind of typed private information can be revealed.

"An adversary could also potentially target videos obtained from public video sharing/streaming platforms such as YouTube and Twitch [or] archived videos of live exposition/events," the research paper noted. "All an adversary needs for the attack is a video stream."

How this all works

The attacker would need to record the meeting or the stream, and the webcam used would have to be high-definition, with 1080p resolution better than 720p. (4K video was not tested but would likely work even better.)

But after that, it's just a matter of feeding the video through a computer program that chops out the background, focuses on your face to create a reference point and then measures the movements of your arms and shoulders relative to your face. 

Whose face it is doesn't matter, and your hands and your computer keyboard do not need to be visible.

"We assume that both shoulders and upper arms are within the field-of-view of the webcam," the paper says, "which is a practical assumption because desktop and laptop webcams are often positioned centrally with respect to the user."

Once that's done, the program analyzes the differences frame-by-frame in the positions of your arms and shoulders. It can pretty accurately tell which keyboard keys you're hitting on a standard QWERTY keyboard. It then compares its results against a long list of thousands of English words and commonly used passwords.

75% of the time, it works every time

In controlled settings with only a few possible office chairs, webcams, laptops and keyboards, and with 20 test subjects typing one of 300 preselected works in random order, the program was about 75% accurate.

Wen test subjects were on their machines at home in uncontrolled settings and could type whatever they wanted, accuracy was only about 20% for both random words and passwords. 

However, if a test subject's password happened to be one of the 1 million most commonly used passwords, then the program accurately guessed it about 75% of the time — just another argument for using strong, secure passwords as well as one of the best password managers.

And if the program already knew the partcipants' email address or name, then it was better than 90% right at guessing when the person typed that in — and when a password would immediately follow.

How to keep people from Zooming in on your passwords

So how can you stop your fellow Zoom meeting participants, or people watching you on Twitch or YouTube, from telling what you're typing? The researchers had several suggestions:

Wear sleeves

The program did better when the subject was wearing a sleeveless shirt than one with either short or long sleeves.

Put something over your shoulders

Long hair over the shoulders messed up the results in the test, and so did headphone wires. A scarf might work too.

Learn how to touch-type

The program had a harder time detecting words that were touch-typed with 10 fingers than words that were typed using the two-finger hunt-and-peck method. "Hybrid" typing that uses 2 to 6 fingers was in-between.

Sit in a chair that rolls or swivels

It was harder to detect shoulder and arm movements when the whole body was moving around.

Use dim lighting

The program didn't work well if there wasn't much contrast between the subject's body and the background.

Blur or pixelate your video stream

This would naturally make minute movements harder to detect, although it wouldn't make you look very good.

Skip or drop frames

The word-guessing program needs to compare one frame of video to the next, so if frames are missing, it has a more difficult time. The researchers suggested that video-conferencing software makers could make sure frames are randomly dropped when meeting participants type.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.