New Research Shows 720p Webcams Can Leak What You’re Browsing

Table of Links

Abstract and I. Introduction

II. Threat Model & Background

III. Webcam Peeking through Glasses

IV. Reflection Recognizability & Factors

V. Cyberspace Textual Target Susceptibility

VI. Website Recognition

VII. Discussion

VIII. Related Work

IX. Conclusion, Acknowledgment, and References

APPENDIX A: Equipment Information

APPENDIX B: Viewing Angle Model

APPENDIX C: Video Conferencing Platform Behaviors

APPENDIX D: Distortion Analysis

APPENDIX E: Web Textual Targets

Screen Peeking Using Cameras. Screen-peeking with cameras through optical emanation reflections has been explored in previous works. In 2008, Backes et al. [26] showed that adversaries can use off-the-shelf telescopes and DSLR cameras to spy victims’ LCD monitor screen contents from up to 30m away by utilizing the reflective objects that can be commonly found next to the monitor screen such as teapots placed on a desk. In 2009, the authors [25] took the attack to the next level by addressing the challenges of motion blur and out-offocus blur by performing deconvolution on the photos with Point Spread Functions (PSF). Our work differs from these previous works by exploiting the victims’ own webcams in video conferences for a remote attack. Such changes call for different imaging enhancing techniques due to the different types of image distortions. In addition, reflective objects on the desks and human eyes cannot be easily utilized due to very large curvatures. We thus exploit the glasses people wear to video conferences as a modern attack vector. [57] proposed a relevant idea of using adversary-controlled webcams to detect changes in webpage links’ colors for inferring visited websites. It requires the adversary to take control over the victim’s webcam with malicious web modules and exploits coarsegrain color variations, while our work studies more natural attack vectors in video conferencing and investigate the limits of textual reconstruction.

Screen Content Reconstruction With Other Emanations. Besides the direct optical emanations from the screen that we exploit in this work, previous works also explored other channels such as electromagnetic radiation [44], [45], [55] and acoustic emanations [37]. Reconstructing screen contents with such emanations usually requires using additional eavesdropping hardware that is placed close to the victims by the adversary. On the other hand, our work exploits the victim’s own webcams, making the attack more accessible.

Remote Eavesdropping Via Audio/Video Calls. Similar to our work, such attacks assume the adversary and victim are both participants of an audio/video conference, and the adversary can eavesdrop on privacy-sensitive information by analyzing the audio/video channels. For example, Voice-overIP attacks for keystroke inference eavesdrop on the victim’s keyboard inputs by utilizing timing and/or spectrum information embedded in the keystroke acoustic emanations [29], [30], [35], [54]. Recently, Sabra et al. [51] proposed works solving the problem of inferring keystrokes by analyzing the dynamic body movements embedded in the videos during a video call. Hilgefort et al. [39] spies victims’ nearby objects through virtual backgrounds in video calls by carrying out foreground-background analysis and accumulating background pixels. In contrast, our work explores the related problem of content reconstruction using only the optical reflections from participants’ glasses embedded in the videos.

IX. CONCLUSION

In this work, we characterized the threat model of the webcam peeking attack in video conferencing settings. We developed mathematical models that describe the relationship between the attack limits and different user-dependent factors. The analysis enables the prediction of future threats as webcam technology evolves. We conducted experiments both in controlled lab settings and with a user study. Results showed that present-day 720p cameras pose threats to the contents on users’ screens when users browse certain big-font websites. Future 4K cameras are predicted to allow adversaries to reconstruct various header texts on popular websites. We also found adversaries can recognize the website users are browsing through webcam peeking with 720 cameras. We analyzed both short-term mitigations and long-term defenses and collected user opinions on the possible protections.

ACKNOWLEDGEMENT

This work is supported by a gift from Analog Devices Inc. and China NSFC Grant 61925109 and 62201503. We thank our reviewers for their insightful comments that helped us improve this manuscript; we thank Dr. Cheng Yang for volunteering to wear eyeglasses in the lab experiments.

REFERENCES

[1] Converting diagonal field of view and aspect ratio to horizontal and vertical field of view. http://vrguy.blogspot.com/2013/04/ converting-diagonal-field-of-view-and.html, 2013.

[2] Webcam Field of View . https://www.telehealth.org.nz/assets/Uploads/ 1511-webcam-field-of-view.pdf, 2015.

[3] Approximate Focal Length for Webcams and Cell Phone Cameras. https: //learnopencv.com/approximate-focal-length-for-webcams-and -cell-phone-cameras/, 2016.

[4] Cisco Annual Internet Report (2018–2023) White Paper. https: //www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/ annual-internet-report/white-paper-c11-741490.html, 2020.

[5] Schott AG: Transmittance of optical glass. https://www.schott.com/d/ advanced_optics/5b1f5065-0587-4b3f-8fc7-e508b5348012/, 2020.

[6] The most maddening part about working from home: video conferences. . https://www.washingtonpost.com/technology/2020/03/16/ remote-work-video-conference-coronavirus/, 2020.

[7] Acer Predator 15. https://www.acer.com/ac/en/IN/content/ predator-model/NH.Q1YSI.001, 2021.

[8] Alexa SEO and Competitive Analysis Software. https://www.alexa.com/, 2021.

[9] Amazon Mechanical Turk. https://www.mturk.com/, 2021. [10] Big Type Websites. https://www.siteinspire.com/websites?categories= 22, 2021.

[11] Blue Light Blocking Glasses Market Size 2021 with a CAGR of 7.7% , Research by Business Opportunities, Top Companies data report covers, globally Market Key Facts and Forecast to 2025. https://www.wboc.com/ story/43536337/blue-light, 2021.

[12] Blue Light Blocking Glasses on Amazon. https://www.amazon.com/gp/ product/B07VBFSY33/, 2021.

[13] Cheese. https://wiki.gnome.org/Apps/Cheese, 2021.

[14] Default style sheet for HTML 4. https://www.w3.org/TR/CSS2/sample. html, 2021.

[15] For better or worse, working from home is here to stay. https://www. cnbc.com/2021/03/11/one-year-into-covid-working-from-home-is -here-to-stay.html, 2021.

[16] Let’s Talk About Base Curves. https://opticianworks.com/lesson/ lets-talk-base-curves/, 2021.

[17] Nikon Z7. https://www.nikonusa.com/en/nikon-products/product/ mirrorless-cameras/z-7.html, 2021.

[18] Samsung Notebook 9. https://www.samsung.com/hk/pc/ notebook-9-np900x5m-k03/, 2021. [19] Shot Noise. https://en.wikipedia.org/wiki/Shot_noise, 2021.

[20] Web Style Sheets CSS tips & tricks: EM. https://www.w3.org/Style/ Examples/007/units.en.html#units, 2021.

[21] Zoom. https://zoom.us/, 2021.

[22] Aries Arditi. Adjustable typography: an approach to enhancing low vision text accessibility. Ergonomics, 47(5):469–482, 2004.

[23] Aries Arditi and Jianna Cho. Serifs and font legibility. Vision research, 45(23):2926–2933, 2005.

[24] Melanie Arntz, Sarra Ben Yahmed, and Francesco Berlingieri. Working from home and covid-19: The chances and risks for gender gaps. Intereconomics, 55(6):381–386, 2020.

[25] Michael Backes, Tongbo Chen, Markus Dürmuth, Hendrik PA Lensch, and Martin Welk. Tempest in a teapot: Compromising reflections revisited. In 2009 30th IEEE Symposium on Security and Privacy, pages 315–327. IEEE, 2009.

[26] Michael Backes, Markus Dürmuth, and Dominique Unruh. Compromising reflections-or-how to read lcd monitors around the corner. In 2008 IEEE Symposium on Security and Privacy (sp 2008), pages 158–169. IEEE, 2008.

[27] Alexander Bick, Adam Blandin, and Karel Mertens. Work from home after the covid-19 outbreak.CEPR Discussion Paper. 2020.

[28] Connor Bolton, Kevin Fu, Josiah Hester, and Jun Han. How to curtail oversensing in the home. Communications of the ACM, 63(6):20–24, 2020.

[29] Stefano Cecconello, Alberto Compagno, Mauro Conti, Daniele Lain, and Gene Tsudik. Skype & type: Keyboard eavesdropping in voice-over-ip. ACM Transactions on Privacy and Security (TOPS), 22(4):1–34, 2019.

[30] Alberto Compagno, Mauro Conti, Daniele Lain, and Gene Tsudik. Don’t skype & type! acoustic eavesdropping in voice-over-ip. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pages 703–715, 2017.

[31] Zechuan Deng, René Morissette, and Derek Messacar. Running the economy remotely: Potential for working from home during and after covid-19. Statistics Canada. 2020.

[32] Keyan Ding, Kede Ma, Shiqi Wang, and Eero P Simoncelli. Image quality assessment: Unifying structure and texture similarity. arXiv preprint arXiv:2004.07728, 2020.

[33] Rodger J Elble. Tremor. In Neuro-geriatrics, pages 311–326. Springer, 2017.

[34] Rodger J Elble, Helge Hellriegel, Jan Raethjen, and Günther Deuschl. Assessment of head tremor with accelerometers versus gyroscopic transducers. Movement Disorders Clinical Practice, 4(2):205–211, 2017.

[35] Fürkan Elibol, Uğur Sarac, and Işin Erer. Realistic eavesdropping attacks on computer displays with low-cost and mobile receiver system. In 2012 Proceedings of the 20th European Signal Processing Conference (EUSIPCO), pages 1767–1771. IEEE, 2012.

[36] Sina Farsiu, M Dirk Robinson, Michael Elad, and Peyman Milanfar. Fast and robust multiframe super resolution. IEEE transactions on image processing, 13(10):1327–1344, 2004.

[37] Daniel Genkin, Mihir Pattani, Roei Schuster, and Eran Tromer. Synesthesia: Detecting screen content via remote acoustic side channels. In 2019 IEEE Symposium on Security and Privacy (SP), pages 853–869. IEEE, 2019.

[38] Atsuki Higashiyama, Yoshikazu Yokoyama, and Koichi Shimono. Perceived distance of targets in convex mirrors. Japanese Psychological Research, 43(1):13–24, 2001.

[39] Jan Malte Hilgefort, Daniel Arp, and Konrad Rieck. Spying through virtual backgrounds of video calls. In Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, pages 135–144, 2021.

[40] Brien A Holden, Timothy R Fricke, David A Wilson, Monica Jong, Kovin S Naidoo, Padmaja Sankaridurg, Tien Y Wong, Thomas J Naduvilath, and Serge Resnikoff. Global prevalence of myopia and high myopia and temporal trends from 2000 through 2050. Ophthalmology, 123(5):1036–1042, 2016.

[41] Mohammad Moinul Islam, Vijayan K Asari, Mohammed Nazrul Islam, and Mohammad A Karim. Video super-resolution by adaptive kernel regression. In International Symposium on Visual Computing, pages 799–806. Springer, 2009.

[42] Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. A critical evaluation of website fingerprinting attacks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 263–274, 2014.

[43] Katherine A Karl, Joy V Peluchette, and Navid Aghakhani. Virtual work meetings during the covid-19 pandemic: The good, bad, and ugly. Small Group Research, 53(3):343–365, 2022.

[44] Markus G Kuhn. Electromagnetic eavesdropping risks of flat-panel displays. In International Workshop on Privacy Enhancing Technologies, pages 88–107. Springer, 2004.

[45] Markus G Kuhn. Security limits for compromising emanations. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 265–279. Springer, 2005.

[46] Rohit Kulkarni. A Million News Headlines, 2018.

[47] Chao-Hsien Kuo and Zhen Ye. Sonic crystal lenses that obey the lensmaker’s formula. Journal of Physics D: Applied Physics, 37(15):2155, 2004.

[48] Michael Li. I studied the fonts of the top 1000 websites. Here’s what I learned. https://dribbble.com/stories/2021/04/26/web-design-data-fonts, 2021.

[49] Tony Lindeberg. Scale invariant feature transform. 2012.

[50] Tatsiana Palavets and Mark Rosenfield. Blue-blocking filters and digital eyestrain. Optometry and Vision Science, 96(1):48–54, 2019.

[51] Mohd Sabra, Anindya Maiti, and Murtuza Jadliwala. Zoom on the keystrokes: Exploiting video calls for keystroke inference attacks. arXiv preprint arXiv:2010.12078, 2020.

[52] Jerome H Saltzer and Michael D Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308, 1975.

[53] Mehul P Sampat, Zhou Wang, Shalini Gupta, Alan Conrad Bovik, and Mia K Markey. Complex wavelet structural similarity: A new image similarity index. IEEE transactions on image processing, 18(11):2385– 2401, 2009.

[54] Ilia Shumailov, Laurent Simon, Jeff Yan, and Ross Anderson. Hearing your touch: A new acoustic side channel on smartphones. arXiv preprint arXiv:1903.11137, 2019.

[55] Wim Van Eck. Electromagnetic radiation from video display units: An eavesdropping risk? Computers & Security, 4(4):269–286, 1985.

[56] Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing, 13(4):600–612, 2004.

[57] Zachary Weinberg, Eric Y Chen, Pavithra Ramesh Jayaraman, and Collin Jackson. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In 2011 IEEE Symposium on Security and Privacy, pages 147–161. IEEE, 2011.

[58] Jianchao Yang and Thomas Huang. Image super-resolution: Historical overview and future challenges. In Super-resolution imaging, pages 1– 34. CRC Press, 2017.

[59] Lin Zhang, Lei Zhang, Xuanqin Mou, and David Zhang. Fsim: A feature similarity index for image quality assessment. IEEE transactions on Image Processing, 20(8):2378–2386, 2011.

---