Hackers Can Learn Your Password When Seeing Small Visual Cues on Video Calls
Researchers have found that tiny visual cues and an algorithm can be used by hackers to guess a user’s password on a video call.
Remote work and distance learning has brought with them a host of cybersecurity and password challenges, exacerbated by the surge in use of popular videoconferencing platforms like Zoom, Microsoft Teams, Google Meet and others.
Those companies have been active in enhancing the security controls for those applications, but one new hacking method uncovered by researchers from the University of Texas and University of Oklahoma relies on tiny visual cues and an algorithm to guess a user’s password if they sign into an account while on a video call.
According to Forbes, citing the study, a hacker can use a methodology called keystroke inference, which is essentially watching the shoulders and upper arms for clues as to what the user at the other end of the call is typing.
Although the movements are small and subtle, with the help of an algorithm, a hacker could take a pretty good guess at a person’s password.
These visual differences can reveal the direction in which someone is typing, moving from one key to another, ultimately revealing what was typed using an algorithm that cross-references them with dictionary word-profiles.
So, the attack would require someone to either be on the call you are making or to have hacked into it so as to be able to record the video. That video needs to be of suitably high resolution for the software to be able to calculate correctly when it is run through it.
The software used to guess passwords based on those miniscule visual cues correctly guessed a password 75% of the time if the password was included in the reference database of one million commonly used passwords.
However, stronger passwords like randomly generated passwords or truly unique phrases were harder to guess, as just 18.9% of total passwords were guessed correctly, and 74% of the passwords not in the reference database stood up against this hacking method.
As with any account or application, you should observe good cybersecurity practices when it comes to passwords. Here are some examples:
- Change the default password
- Don’t use the same password for every account
- Change your password regularly
- Enable multi-factor authentication
This article premiered on CS sister publication MyTechDecisions.com. Zachary Comeau is TD’s web editor.