We’ve all had a lot to worry about in 2020 – getting used to working from home, acclimating to having the kids home from school and underfoot, and for those of us who pay attention to such things, coming to grips with an increased level of cyber threat.
Those of us who fall into the last category, in fact, have had a pretty stressful year. Just as we learned to protect ourselves from the rise of formjacking, and worked out how to avoid the ransomware pandemic to keep our personal information safe, we’ve been hit with another piece of worrying news.
It’s this – hackers might be able to steal your password by watching how your shoulders move.
That might sound like science fiction, but unfortunately it’s an all-too-real threat. A demonstration of the techniques required to do this come from a group of University of Texas researchers, who recently published a technical brief on what they claim is a reliable framework – watching shoulder movements to determine what someone on the other end of a Zoom, Microsoft Skype, or Google Hangouts video call is typing.
The idea behind the process is simple enough. Using widely-available image analysis software, the researchers taught a neural net to identify the position of an individual’s shoulder. Then, by watching the way that their shoulders move from frame to frame on a video call, this same neural net was able to work out what they were typing. If they enter their password when on a video call, the system can extract it from the video.
The way in which this new system works is superficially similar to the old trick of working out the phone number that someone is dialing by listening to the sounds made by their phone keys. As this article from the University of Melbourne explains, it’s possible that hackers (or in this case a university student) can reconstruct the phone number of powerful CEOs with basic sound analysis software.
Now, your password can be extracted from a video call in much the same way. At the moment, however, it’s unclear exactly how common this technique will become. When public-interest technologist Bruce Schneier recently highlighted the research on his blog, he noted that “accuracy isn’t great, but that it can be done at all is impressive.”
The Security of Videoconferencing
For those worried about the general security of video conferencing tools, this will come as unwelcome if expected news. The past year has brought many stories highlighting the vulnerabilities of these apps. With the spectre of the global economy continuing to be largely Work From Home (WFH) into the future – regardless of what flavor OS you use, mobile or otherwise, Windows, Android, iOS, or, you can no longer afford to ignore the rise in occurrence of this general threat.
Most of the problems are not quite as exotic, or as sophisticated, as the research I’ve mentioned above. In fact, many of the vulnerabilities that affect video conferencing software would be regarded as fatal flaws in other types of software.
Take Zoom as an example. The company has certainly had a good year when it comes to their usage statistics, but far less so when it comes to stories about their security. First, it was sued for saying that it provided end-to-end encryption to all users when it didn’t. Then, it said that it would, after all, provide this encryption, but only to premium users. Then, finally, and under pressure from the EFF, it decided to give everyone this basic level of protection.
Let’s not single Zoom out for criticism, though. Other providers have also failed to take the security of video conferencing seriously. Cisco’s Webex, another popular, high-definition video conferencing platform recently issued patches for three “high-severity” flaws and 11 “medium” severity vulnerabilities. These flaws affected its conferencing system’s video feed, IP cameras, and Identity Services Engine network admin software. Some have suggested that they could have been present for years.
My point, here, is that though it is certainly impressive that researchers are able to extract passwords from a video feed, for users of this software this is unlikely to be their primary security concern. This software contains more than enough vulnerabilities to cause concern, even before this new route to your personal information opened up.
In this context, it’s worth thinking about how you can protect yourself from this kind of attack. There are two primary ways of doing that.
The first is related to the recent research I’ve mentioned above. Video conferencing software represents a vulnerability for a lot of users because they don’t use a secure password, and they don’t take basic steps to protect their devices from surveillance. When it comes to cyber security, it can be worth looking at more familiar types of security for guidance. About 60% of convicted burglars say the presence of a security system would cause them to attempt a burglary elsewhere, for instance. Following that process into the digital world, it makes sense to put a security system on your digital devices as well as your house.
When it comes to preventing someone stealing your password via a video call, this means one thing – get a password manager. With this kind of tool, you can use one “master” password that will protect all of your accounts, and that is linked to your devices (or smartphone). Even if one of your passwords is stolen, a hacker will not get access to all of your accounts.
Second, be aware that what you say over video conferencing software is not really private, especially if you are using the kind of software typically available to consumers. Because the providers of this software have been slow to provide encryption for the video feed – or, indeed, even the audio feed – it’s possible that everything you say could be spied on.
For that reason, you shouldn’t give out any personal information, and especially not your passwords, over a video chat.
To return to where we started, it’s worth recognizing that the team behind the research to pull passwords from video calls has not seen any evidence that their experimental technique is being used in the real world. Still, and as the leader of that team noted, “It is good to be informed about such threats as a user of such video calling/conferencing applications.”
This is because, though such attacks remain a niche concern right now, they may make into the mainstream eventually. And then we’ll really have to start worrying.