NOVEMBER 16, 2020 — COVID-19 has upended face-to-face communication. Overnight, video calls have become the new normal for both personal and professional remote communication. Now, cybersecurity researchers at the University of Texas at San Antonio warn that a new privacy threat related to online video calls is on the horizon. It’s possible to steal private information typed on a keyboard during an online video call by just analyzing a person’s shoulder and upper arm movements during the call.
“Although there is no evidence of widespread exploitation of this vulnerability in the wild yet, our research shows that such attacks are indeed feasible,” said computer science professor Murtuza Jadliwala, who leads SPriTELab and the UTSA research team behind these findings. “Our inference framework employs image processing techniques to model and capture minor shoulder movements due to typing that are observable during video calls, and maps those movements to a prediction or guess of what is being typed. Experiments with actual human-subject participants show that our framework is able to make a pretty good prediction of the words being typed.”
“Our work really highlights the need for awareness and countermeasures against such threats.”
The research team designed and tested their framework in a lab setting, as well as in a real, fully unconstrained setting, by employing different webcams, video calling software, keyboards, and clothing worn by participants. In addition to inferring regularly typed English words on a QWERTY keyboard with reasonably good accuracy, their framework was also able to infer less common (yet sensitive) text such as passwords and websites, although with a slightly lower accuracy. An important feature of the proposed attack is that it can exploit any type of video call where shoulders are visible on the screen.
“Although not a cause for immediate alarm, our work really highlights the need for awareness and countermeasures against such threats,” Jadliwala added. “It is good to be informed and educated about such new and evolving privacy threats targeting popular online applications and services.”
The research team also proposed and evaluated several protection mechanisms against these threats, including frame blurring, frame pixelation and frame skipping, with pretty good success. The peer reviewed research results will be presented in the upcoming Network and Distributed Systems Security (NDSS) Symposium to be held virtually this year due to the COVID-19 pandemic. NDSS is one of the premier academic research conferences in the field of cybersecurity, publishing ground-breaking results in the area.
