No, Nobody’s Going to Steal Your Password While You Type on a Zoom Call!

Written by

Security research is an interesting field, but it sometimes ends up on the wrong end of mass media hysteria. Ominous headlines stating things like ‘AI can crack your password by listening to your keyboard clicks’, with the buzzword being ‘AI’ and ‘listening to you type’ are a good combination for clickbait and generating a good dose of FUD (Fear, Uncertainty, Doubt).

While theoretically very interesting, the research offers no real-world threat to anyone once you dive into it. Sadly, it becomes a victim of journalism trying to translate technical analysis into media sound bites.

So, let’s get into why this isn’t an issue. If you’re interested, the original research is available here and is very well written. It has the more descriptive title of A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards.

Without going into the technical details of the attack, let’s look at the pre-requisites for one of the scenarios for which the research builds a proof of concept – recording keystrokes on a Zoom call. So before you can even consider the possibility of falling victim to this theoretical attack, you need the following to happen in precisely in this order:

  • Someone needs to lure you into a Zoom call. It has to be Zoom.
  • That someone also needs the skill set and tooling to successfully perform acoustic side-channel attacks
  • They need to be malicious.
  • You can’t have anyone else on the call apart from you and a malicious person. Sad.
  • Don’t be talking or making other noise aside from typing... wait, what?
  • Likewise, the person who lured you into the call cannot be typing keystrokes or making noises, such as talking.
  • The noise suppression settings on your Zoom must be set to ‘low.’
  • You need your microphone close to your keyboard so they can hear the keystrokes. 
  • You have to be using a MacBook Pro 16-inch (2021). If you use an external keyboard, a touchscreen keyboard or any other laptop model, this won’t work.
  • You cannot touch type or type quickly. ‘Hunt and Peck’ is ideal for this.
  • While you’re on this silent call, for some reason, you must type a password into your computer.
  • While you slowly type your password loudly – it would be best to have no capital letters because this attack doesn’t really work if you use the shift key.
  • The malicious person on the other side who is not talking and staring at you while you stare at them typing your password loudly has to guess which account/website this is for. Perhaps this could be a good conversation starter for this silent Zoom call.
  • They will only get a chunk of your loudly typed password since this attack doesn’t have 100% accuracy anyway.

It also goes without saying that this is irrelevant if you use single sign-on, MFA, any biometric/passwordless login or if you’re using password managers. Oof! As you can probably guess, the likelihood of this happening to anyone in the future is as close to zero as possible.  

I am no stranger to vulnerabilities involving Zoom, having submitted one in their previous bug bounty program (run by Bugcrowd at the time) in 2015. My vulnerability was called ‘Potentially unsafe URIs can cause local file inclusion, command injection or remote connection’. At its core, the vulnerability was if you were in a chat with someone, you could paste URIs like file:///windows/system32/cmd.exe with whatever cmd you wanted after that (an sftp connection to a remote host, for example), and it would run. 

This is quite similar to the vulnerability that came after it more publicly in 2020, where you simply pasted a UNC path to hand over your Windows credentials. I was paid the princely sum of $50 USD for the discovery and rightly so because it required so many pre-requisites that it wasn’t really applicable in reality.

For example, to even have any chance of succeeding, you need to lure someone into a Zoom call (hopefully alone), paste the payload into the chat and convince them that it is safe and to click on it, have your reverse shell set up waiting to go, get that working fine without any networking interference and then proceed to plunder their workstation; yes, even after they’ve seen your face. You are allowed to talk to them in this one, however.

It is symptomatic of the dilemmas we face in communicating issues related to cybersecurity today. Communicating a deeply technical topic to a largely non-technical mass audience is no easy feat and even journalists with a tech background struggle with this. Explaining risk and likelihood to the masses is a losing game because as soon as the worst outcomes are discussed, they are often interpreted as fact. Sadly, threat assessments take some time to explain, and the person in front of you has to be willing to listen, even if that involves being quiet on a Zoom call. 

What’s hot on Infosecurity Magazine?