What Is Keystroke Inference and How Can It Be Used to Steal Passwords?
While it may sound a bit like science fiction or a fantasy hacker movie, Forbes actually recently covered a research paper that examines how hackers can use a method to steal your passwords using simple footage like a Zoom video call recording.
With the increasing popularity and surge in use of applications like Zoom and Google Meet to conduct remote work meetings, bad actors have been hard at work trying to come up with new ways to abuse those platforms. Even with all the security measures that these platforms have implemented, the new method of password theft may be able to circumvent them all.
Two US universities, of Texas and Oklahoma, produced a research paper focusing on how bad actors can use the movement of a person's upper arms and shoulders in a video meeting call to deduct what they are typing on their keyboard. The method is called "keystroke inference".
How does the magic work?
Obviously, keystroke inference is not the same as directly grabbing someone's password using a keystroke logger but it is also much more difficult to deploy a keystroke-logging malware on the victim's system as well. The research paper explains that bad actors could use small and seemingly insignificant movements of a person's upper body to roughly guess what keys they are pressing on their keyboard.
The full methodology relies on referencing the visual cues from the person typing on video against a vast dictionary and inferring what strings and words might be typed in, based on this. Of course, in order for this method to work, the bad actor will either need to participate in the video call or to have hacked into the video meeting in order to gain access to the video streams of the participants.
How does the method cope with strong passwords?
The algorithm examined by the university teams displays a disturbingly high success rate - around 75% of password strings examined this way were guessed correctly, if the password string used was part of the dictionary reference of about a million words.
Of course, this brings us back to the importance of never using common words as passwords and coming up with complex, compound passwords that include letters, numbers and symbols in a good mix and with sufficient length. The algorithm used in the research was only able to guess less than 19% of the passwords that were constructed using good security practices and contained unique strings, not found in a dictionary.
This only serves to underline that a good, strong password can provide a good degree of protection even against newly emerging methods of attack.