Can reflections in eyeglasses actually leak info from Zoom calls? Here's a study into it

About time someone shone some light onto this

Boffins at the University of Michigan in the US and Zhejiang University in China want to highlight how bespectacled video conferencing participants are inadvertently revealing sensitive on-screen information via reflections in their eyeglasses.

With the COVID-19 pandemic and the rise in remote work, video conferencing has become commonplace. The researchers argue the ensuing privacy and security issues deserve further attention, and they've been casting an eye on this unusual attack vector.

In a paper distributed via ArXiv, titled, "Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing," researchers Yan Long, Chen Yan, Shilin Xiao, Shivan Prasad, Wenyuan Xu, and Kevin Fu describe how they analyzed optical emanations from video screens that have been reflected in the lenses of glasses.

"Our work explores and characterizes the viable threat models based on optical attacks using multiframe super resolution techniques on sequences of video frames," the computer scientists explain in their paper.

"Our models and experimental results in a controlled lab setting show it is possible to reconstruct and recognize with over 75 percent accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam."

"The present-day 720p camera's attack capability often maps to font sizes of 50-60 pixels with average laptops," explained Yan Long, corresponding author and doctoral candidate at University of Michigan, Ann Arbor, in an email to The Register.

"Such font sizes can mostly be found in slide presentations and the headings/titles of some websites (for example, 'We saved you a seat in chat' on"

Being able to read reflected headline-size text isn't quite the privacy and security problem of being able to read smaller 9 to 12 pt fonts. But this technique is expected to provide access to smaller font sizes as high-resolution webcams become more common.

"We found future 4k cameras will be able to peek at most header texts on almost all websites and some text documents," said Long.

When the goal was to identify just the specific website visible on the screen of a video meeting participant from an eyeglass reflection, the success rate rose to 94 percent among the Alexa top 100 websites.

"We believe the possible applications of this attack range from causing discomforts in daily activities, e.g. bosses monitoring what their subordinates are browsing in a video work meeting, to business and trading scenarios where the reflections might leak key negotiation-related information," said Long.

He said the attack envisions both adversaries participating in conferencing sessions and also those who obtain and play back recorded meetings. "It would be interesting for future research to scrape online videos such as from YouTube and analyze how much information is leaked through glasses in the videos," he said.

A variety of factors can affect the legibility of text reflected in a video conference participant's glasses. These include reflectance based on the meeting participant's skin color, environmental light intensity, screen brightness, the contrast of the text with the webpage or application background, and the characteristics of eyeglass lenses. Consequently, not every glasses-wearing person will necessarily provide adversaries with reflected screen sharing.

With regard to potential mitigations, the boffins say that Zoom already provides a video filter in its Background and Effects settings menu that consists of reflection-blocking opaque cartoon glasses. Skype and Google Meet lack that defense.

The researchers argue other more usable software-based defenses involve targeted blurring of eyeglass lenses.

"Although none of the platforms supports it now, we have implemented a real-time eyeglass blurring prototype that can inject a modified video stream into the video conferencing software," they explain. "The prototype program locates the eyeglass area and applies a Gaussian filter to blur the area."

The Python code can be found on GitHub. ®

Send us news

What do the US midterm election results mean for a federal privacy law?

Spoiler: it may hinge on California's voting block

Commercial repair shops caught snooping on customer data by canny Canadian research crew

Naming no names, but study finds trustworthy techs are hard to find

Russia-based Pushwoosh tricks US Army and others into running its code – for a while

Russian data trackers … what could possibly go wrong?

Security firms hijack New York trees to monitor private workforce

Employee management tech raises eyebrows in the Big Apple

Open source community split over offer of 'corporate' welfare for critical dev tools

Linux Foundation presents IT and help to key volunteers – and some wonder if this is a deal with the Devil

Block Fi seeks bankruptcy protection as 'shocking' FTX contagion spreads

Crypto lending biz wants its money back "as promptly as practicable"

FAA wants pilots to be less dependent on computer autopilots

US aviation advisory addresses concerns raised follow 2013 Asiana Airlines crash

US Supreme Court asked if cops can plant spy cams around homes

ACLU argues for the Fourth

Germany says nein to Qatari World Cup spyware, err, apps

Norway, France also sound data privacy alarms

Software company wins $154k for US Navy's licensing breach

Court lands on less than the millions asked for after sailors made copies of 3D modeling suite 'hundreds of thousands' of times

Swiss bankers warn: Three quarters of retail Bitcoin investors are in the red

Little fish lured into the market help whales cash out

Republican senators tell FTC to back off data security, surveillance rules

And they don't like the states' 'patchwork' privacy laws, either