Here’s something that might increase any feelings of paranoia that you experience around computing and cyberspace

Video conferenceResearchers in the USA (Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks) have shown that it is possible to analyse a recording of a video call (such as a Zoom, Teams, or Skype call) and use computer software to infer, with a fair degree of accuracy, what the person on the recording is typing. Neither the keyboard nor the user’s hands need to be visible on the recording. I confess that any paper whose introduction starts with ” Catalyzed by the ubiquity of the Internet..” is unlikely to capture my undivided attention through to the end, but I think I’ve got the gist of it from Tom’s Guide and a skim of the paper itself.

The basis of the method is that the program looks at reference points in the face of the person in the video and then infers what keys have been pressed from the movement of the arms and shoulders relative to those facial reference points. It sounds fantastic (in the sense of “fanciful” rather than “great!”) and no-one is claiming that it is anywhere near 100% accurate, but it is definitely capable of stealing information.

Zoom building

It’s not just Zoom calls that are potentially susceptible to this kind of attack.

If, for instance, it knows the email address of the person in the recording, then it can recognise that the email address has just been typed with about 90% accuracy. It then assumes that the next thing being typed is a password. If the password is a good, strong, unique, one then it’s going to struggle, but the supposed password that has just been typed can be compared against a database of the most common million passwords. If the person in the recording has been lazy and/or predictable in the password creation then they may now be in danger. Remember, there will also probably be an audio track to the recording so, depending on the context, it could be completely obvious what account the password just gleaned belongs to.

The paper’s authors do go on to offer advice as to how to mitigate the threat. This, naturally, revolves around reducing the accuracy of the analysis. So, wearing long sleeves reduces the accuracy of the measurement of arm movement, and reducing the frame rate or resolution of the video capture also reduces accuracy. Having long hair also affects the analysis, apparently (those were the days!). Some things you might think are relevant, but aren’t, include the make and size of the keyboard (but a “zwerty” keyboard instead of a normal “qwerty” one would probably complicate things). The researchers also acknowledge that they didn’t investigate differences in accuracy caused by the participant’s “error rate” when typing. My mind is now thinking of other potential tactics such as moving the keyboard by a few inches every now and then, or turning off the video when entering sensitive information.

When I first read about this, I thought that you’d have to be paranoid to be worried about it, but the more I think about it, the more realistic the threat appears to become (or the more paranoid I become). Clearly, if your video conference is with someone you trust (and you don’t fear anyone else getting hold of a recording of the session) then there’s probably not a lot to worry about. But what if you are on a conference call with 100 other people who you don’t know?

Will this be just a quirky bit of research that is soon forgotten, or might this become a major new threat to cyber security as the accuracy of the analysis improves? Dunno.

Skype logo 2It pains me to admit it, but I’m not the only person in the world called David Leonard. A search for my own name on Skype produced over 100 results. If I was looking for myself (no, I am not having an identity crisis) then I would need some more information.

Skype Search Box

The search box appears below your name and profile picture at top left.

You can try several things to narrow down the search, but what works will depend on what the other person has entered into their Skype profile.

The information that the other person may have entered includes:

  • Skype Name
  • Name
  • City
  • Country/region
  • Email address(es)
  • Mobile phone
  • Home phone
  • Office phone

I don’t know whether if searching for someone would produce results based on their gender, birthday or “about me” information (which may also appear in the profile).

So, to find someone on Skype so that you can connect with them, go to the search box on the main Skype page and enter one or more pieces of information. For example:

  • email address – this is good as all email addresses are unique, so any result should be the person you are looking for. On the other hand, it may not find the person you are looking for if they have only entered a different email address in their Skype profile.
  • Skype name – this is good because it is unique. There can’t be two people with the same Skype name. On the other hand, you may not know their Skype name (do you know your own?)
  • Phone numbers – again, this has the same advantages and disadvantages of an email address in that Skype can only find numbers entered into the other person’s profile. Also there are some complications regarding formatting of the number.

My telephone number is entered in my profile as “+447961387564” (the complete number including country code, and dropping the leading zero).Searches on my phone number gave the following results:

  • 07961387564 – no results found
  • 7961387564 – my details – and no-one else’s – found
  • 447961387564 – my details – and no-one else’s – found
  • +447961387564 – my details – and no-one else’s – found
  • 61387564 – someone in Bosnia-Herzegovina found, but not me (this was a search on a random part of my phone number)

So, it’s not as straightforward as you might imagine!

One thing that can help is if the person you are looking for has included a profile picture. At least, it might help if you are less optically challenged than I am. I find most “profile pictures” on social media totally unrecognisable because they are too small, fuzzy, dark, or light. I like to think my own “DL” logo in green is more recognisable. Of course, you can always totally undermine the purpose of profile pictures by doing what thousands of other people do and load an image of your cat (because what the internet really needs is more pictures of cats).

Skype - Give Wave

Skype’s infantile “Give wave” button that you have to click on to make a first contact with someone. They then accept or reject you.

And just to add one more complication. Suppose you have someone’s Skype details in your Skype contacts but you can’t seem to get through to them any more (and you know it used to work some time ago). You’ve checked with them that they are still “on Skype” and have been assured that their Skype is open for business on their computer or device.

Here’s something that’s worth checking. The other person may have created their Skype account before Microsoft bought Skype. They might have then created a Microsoft account after Microsoft bought Skype. Microsoft would then create a new Skype account, with a Skype name they make up. It is quite possible that the person you can not contact any more is unwittingly signed in to this second Skype account. Once you recognise the problem it is easy to resolve as the “correct” Skype account still exists. Just get the other person to sign out of the wrong account and into the right one.

And I can vouch for all this out of personal experience. Thank you, Microsoft. Once I discovered what had happened in my own case, I removed my logo, email address and phone number from the “wrong” account so that it wouldn’t appear in search results. I chickened out of deleting the account in case it broke my Microsoft account. I think a braver person could have unlinked and then deleted the Skype account without breaking the Microsoft account, but sometimes you just don’t feel like antagonising the cyber gods. We’ve got enough problems in the world just at the moment.

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha