his article from the University of Melbourne explains, it’s possible that hackers (or in this case a university student) can reconstruct the phone number of powerful CEOs with basic sound analysis software.
Now, your password can be extracted from a video call in much the same way. At the moment, however, it’s unclear exactly how common this technique will become. When public-interest technologist Bruce Schneier recently highlighted the research on his blog, he noted that “accuracy isn’t great, but that it can be done at all is impressive.”
For those worried about the general security of video conferencing tools, this will come as unwelcome if expected news. The past year has brought many stories highlighting the vulnerabilities of these apps. With the spectre of the global economy continuing to be largely Work From Home (WFH) into the future – regardless of what flavor OS you use, mobile or otherwise, Windows, Android, iOS, or, you can no longer afford to ignore the rise in occurrence of this general threat.
Most of the problems are not quite as exotic, or as sophisticated, as the research I’ve mentioned above. In fact, many of the vulnerabilities that affect video conferencing software would be regarded as fatal flaws in other types of software.
Take Zoom as an example. The company has certainly had a good year when it comes to their usage statistics, but far less so when it comes to stories about their security. First, it was sued for saying that it provided end-to-end encryption to all users when it didn’t. Then, it said that it would, after all, provide this encryption, but only to premium users. Then, finally, and under pressure from the EFF, it decided to give everyone this basic level of protection.
Let’s not single Zoom out for criticism, though. Other providers have also failed to take the security of video conferencing seriously. Cisco’s Webex, another popular, high-definition video conferencing platform recently issued patches for three “high-severity” flaws and 11 “medium” severity vulnerabilities. These flaws affected its conferencing system’s video feed, IP cameras, and Identity Services Engine network admin software. Some have suggested that they could have been present for years.
My point, here, is that though it is certainly impressive that researchers are able to extract passwords from a video feed, for users of this software this is unlikely to be their primary security concern. This software contains more than enough vulnerabilities to cause concern, even before this new route to your personal information opened up.
In this context, it’s worth thinking about how you can protect yourself from this kind of attack. There are two primary ways of doing that.
The first is related to the recent research I’ve mentioned above. Video conferencing software represents a vulnerability for a lot of users because they don’t use a secure password, and they don’t take basic steps to protect their devices from surveillance. When it comes to cyber security, it can be worth looking at more familiar types of security for guidance. About 60% of convicted burglars say the presence of a security system would cause them to attempt a burglary elsewhere, for instance. Following that process into the digital world, it makes sense to put a security system on your digital devices as well as your house.
When it comes to preventing someone stealing your password via a video call, this means one thing – get a password manager. With this kind of tool, you can use one “master” password that will protect all of your accounts, and that is linked to your devices (or smartphone). Even if one of your passwords is stolen, a hacker will not get access to all of your accounts.
Second, be aware that what you say over video conferencing software is not really private, especially if you are using the kind of software typically available to consumers. Because the providers of this software have been slow to provide encryption for the video feed – or, indeed, even the audio feed – it’s possible that everything you say could be spied on.
For that reason, you shouldn’t give out any personal information, and especially not your passwords, over a video chat.
To return to where we started, it’s worth recognizing that the team behind the research to pull passwords from video calls has not seen any evidence that their experimental technique is being used in the real world. Still, and as the leader of that team noted, “It is good to be informed about such threats as a user of such video calling/conferencing applications.”
This is because, though such attacks remain a niche concern right now, they may make into the mainstream eventually. And then we’ll really have to start worrying.