We’ve all had a lot to worry about in the last couple of years – getting used to working from home, acclimating to having the kids home from school and underfoot, getting things back to “normal”, and for those of us who pay attention to such things, coming to grips with an increased level of cyberthreat.
Those of us who fall into the last category, in fact, have had a pretty stressful couple of years. Just as we learned to protect ourselves from the rise of formjacking, and worked out how to avoid the ransomware pandemic to keep our personal information safe, we’ve been hit with another piece of worrying news.
It’s this – hackers might be able to steal your password by watching how your shoulders move.
Video Call Snooping
That might sound like science fiction, but unfortunately it’s an all-too-real threat. A demonstration of the techniques required to do this come from a group of University of Texas researchers, publishing a technical brief on what they claim is a reliable framework – watching shoulder movements to determine what someone on the other end of video call is typing. .
The idea behind the process is simple enough. Using widely-available image analysis software, the researchers taught a neural to identify the position of an individual’s shoulder. Then, by watching the way that their shoulders move from frame to frame on a video call, this same neural net was able to work out what they were typing. If they enter their password when on a video call, the system could extract it from the video.
The way in which this new system works is superficially similar to the old trick of working out the phone number that someone is dialing, by listening to the sounds made by their phone keys. it’s possible that hackerscan reconstruct the phone number with basic sound analysis software, as this article from the University of Melbourne explained.
Your password might be extracted from your body language on a video call in much the same way. At the moment, however, it’s unclear exactly how common this technique will become. When public-interest technologist Bruce Schneier highlighted the research on his blog, he noted that “accuracy isn’t great, but that it can be done at all is impressive.”
Although it is certainly impressive that researchers are able to extract passwords from a video feed, for users, this is unlikely to be their primary security concern.
In this context, it’s worth thinking about how you can protect yourself from this kind of attack. There are two primary ways of doing that.
The first is related to the recent research I’ve mentioned above. Video conferencing software can represent a vulnerability for users if they don’t use a secure password, and they don’t take basic steps to protect their devices from surveillance. When it comes to cybersecurity, it can be worth looking at more familiar types of security for guidance. About 60% of convicted burglars say the presence of a security system would cause them to attempt a burglary elsewhere, for instance. Following that process into the digital world, it makes sense to put a security system on your digital devices as well as your house.
When it comes to preventing someone stealing your password via a video call, it’s worth considering using a password manager. With this kind of tool, you can use one “master” password to help protect your accounts,linked to your devices (or smartphone).
Second, be aware that what you say over video conferencing software may not be private, especially if you are using the kind of software typically available to consumers. Some providers of this software have been slow to provide encryption for the video feed – or, indeed, even the audio feed – it’s possible that everything you say could be spied on.
For that reason, it’s best to avoid giving out any personal information, and especially not your passwords, over a video chat, unless you are sure that it’s safe.
To return to where we started, it’s worth recognizing that the team behind the research to pull passwords from video calls has not seen any evidence that their experimental technique is being used in the real world. Still, and as the leader of that team noted, “It is good to be informed about such threats, as a user of such video calling/conferencing applications.”
This is because, though such attacks remain a niche concern right now, they may make into the mainstream eventually. And then we’ll really have to start worrying.