Security Week 46: Prying Passwords On Newsgroups

Researchers at the University of Texas at San Antonio have proposed an unusual way of keylogging through the analysis of head and shoulder movements on video (news, study in PDF). With fairly broad assumptions, the scenario looks like this: we connect to a video conference, record the victim on video. If she is typing text on the keyboard during a call, we can associate movements in the frame with at least pressing certain keys. Further refinement using dictionaries made it possible in practice to guess the text in 75% of cases.

Like many other scientific works, research is of little use in practice, just like, say, light bulb eavesdropping or a conversation with a smart speaker using a laser.

According to cryptographer Bruce Schneier, what is impressive in this case is the fact that the researchers were able to figure out at least something. And one more thing: as a rule, such algorithms work better, the more material is available for analysis. The pandemic and mass remote control have created a situation where it is theoretically possible to collect an archive of hundreds of hours of video for each of us.

The scholarly work contains a dozen references to similar past studies to assess the arsenal of eavesdropping and eavesdropping tools. Among them – keylogging by electromagnetic radiation, by the movement of the eyes of the printer, by the movements of the tablet (it is assumed that we are shooting the back of the device). They mention the video analysis used in practice, in real attacks, where a PIN code is typed on the keyboard of an ATM or payment terminal. Further, it is even more interesting: recognition of input through vibration analysis – by a third-party sensor or using standard sensors of a mobile device or smart watch. Surveys around the topic determine keystrokes by the actual sound of the keyboard, for this, even a video is not required. In the Zoom version, it is theoretically possible to combine analysis methods for sound and picture.

In an extremely simplified form, the new peeping method works like this: the victim’s face is recognized, and small shoulder movements are analyzed. The keyboard is conventionally divided into two parts: for the left and right hands. Further, the direction is roughly determined: with one movement, we assume that the key is pressed above and to the left of the center of one of the keyboard halves. Otherwise, it is lower and to the right, and so on. Acceptable accuracy is given by comparing guesswork with a dictionary, which gives the title of this post a light golden crust.

The password, if it can be stolen, is the simplest one, which can be determined by brute-force in five minutes. For minimally difficult, the probability of identification was 18.9%. The technique also suffers from the simplest methods that make tracking difficult. It is supposed to be set with two hands, which means that it will not be possible to determine the set of letters with the fingers of one hand. It is required to determine the movement of the shoulders, and this is hampered by loose clothing. In general, this is an extremely impractical study, which nevertheless impresses with its audacity and is certainly useful for information security enthusiasts.

What else happened

Kaspersky Lab specialists explore a Linux ransomware Trojan recently spotted in attacks on the Texas Department of Transportation and Konica Minolta. The picture above is the result of a Windows Trojan, presumably used by the same group.

IN thread from Twitter, an interesting experiment is described above. A private key is uploaded to the public source code repository to access the server on Amazon Web Services, and the time until the attempt to log into the server is tracked. On GitHub hosting, the AWS token was used within 11 minutes, on GitLab – an hour after the commit.

Apple released iOS and iPadOS 14.2 closed 24 vulnerabilities, three of them are allegedly used in attacks.

American law enforcement got control over the Bitcoin wallet used in the Silk Road darknet market operations (closed in 2013). Since then, almost 70 thousand bitcoins have been stored there, at the time of publication it is about a billion US dollars.

New research showshow forms are used for phishing on Google Forms. Among the companies attacked is Google itself.

Similar Posts

Leave a Reply