Zhuolin Yang,Cathy Yuanchen Li,Arman Bhalla,Ben Y. Zhao,Haitao Zheng

2024-09-10

Abstract:Today's virtual reality (VR) systems provide immersive interactions that seamlessly connect users with online services and one another. However, these immersive interfaces also introduce new vulnerabilities, making it easier for users to fall prey to new attacks. In this work, we introduce the immersive hijacking attack, where a remote attacker takes control of a user's interaction with their VR system, by trapping them inside a malicious app that masquerades as the full VR interface. Once trapped, all of the user's interactions with apps, services and other users can be recorded and modified without their knowledge. This not only allows traditional privacy attacks but also introduces new interaction attacks, where two VR users encounter vastly different immersive experiences during their interaction. We present our implementation of the immersive hijacking attack on Meta Quest headsets and conduct IRB-approved user studies that validate its efficacy and stealthiness. Finally, we examine effectiveness and tradeoffs of various potential defenses, and propose a multifaceted defense pipeline.

Cryptography and Security

Zhen Ling,Zupei Li,Chen Chen,Junzhou Luo,Wei Yu,Xinwen Fu

DOI: https://doi.org/10.1109/CNS.2019.8802674

2019-01-01

Abstract:Virtual reality (VR) techniques offer users immersive experiences in a virtual environment (VE) where they can enjoy gaming, training, shopping and social activities. However, security and privacy issues of VR are rarely investigated. In this paper, we introduce novel computer vision-based and motion sensor-based side channel attacks to infer keystrokes in a virtual environment. In the computer vision-based attack, a stereo camera records a user maneuvering a pointing device and inputting passwords. Various computer vision techniques are used to detect the touching frames in which the user taps a touchpad to enter keys on the virtual keyboard within the VE. We then estimate the pose of the headset and derive the orientation of the virtual pointing ray in each touching frame. In the motion sensor-based attack, we exploit sensors including accelerometer, gyroscope and magnetometer built inside the pointing device to retrieve orientation angles of the pointing device. With orientation angles of the pointing device, we can derive the empirical rotation angles and infer the clicked keys by assessing the similarity between the empirical rotation angles and the reference ones between keys. Extensive real-world experiments are performed to demonstrate the feasibility and effectiveness of these side channel attacks.

Tao Ni,Yuefeng Du,Qingchuan Zhao,Cong Wang

2024-12-19

Abstract:Virtual Reality (VR) technologies are increasingly employed in numerous applications across various areas. Therefore, it is essential to ensure the security of interactions between users and VR devices. In this paper, we disclose a new side-channel leakage in the constellation tracking system of mainstream VR platforms, where the infrared (IR) signals emitted from the VR controllers for controller-headset interactions can be maliciously exploited to reconstruct unconstrained input keystrokes on the virtual keyboard non-intrusively. We propose a novel keystroke inference attack named VRecKey to demonstrate the feasibility and practicality of this novel infrared side channel. Specifically, VRecKey leverages a customized 2D IR sensor array to intercept ambient IR signals emitted from VR controllers and subsequently infers (i) character-level key presses on the virtual keyboard and (ii) word-level keystrokes along with their typing trajectories. We extensively evaluate the effectiveness of VRecKey with two commercial VR devices, and the results indicate that it can achieve over 94.2% and 90.5% top-3 accuracy in inferring character-level and word-level keystrokes with varying lengths, respectively. In addition, empirical results show that VRecKey is resilient to several practical impact factors and presents effectiveness in various real-world scenarios, which provides a complementary and orthogonal attack surface for the exploration of keystroke inference attacks in VR platforms.

Cryptography and Security

Luoyu Mei,Ruofeng Liu,Zhimeng Yin,Qingchuan Zhao,Wenchao Jiang,Shuai Wang,Kangjie Lu,Tian He

2024-11-15

Abstract:Virtual reality (VR), while enhancing user experiences, introduces significant privacy risks. This paper reveals a novel vulnerability in VR systems that allows attackers to capture VR privacy through obstacles utilizing millimeter-wave (mmWave) signals without physical intrusion and virtual connection with the VR devices. We propose mmSpyVR, a novel attack on VR user's privacy via mmWave radar. The mmSpyVR framework encompasses two main parts: (i) A transfer learning-based feature extraction model to achieve VR feature extraction from mmWave signal. (ii) An attention-based VR privacy spying module to spy VR privacy information from the extracted feature. The mmSpyVR demonstrates the capability to extract critical VR privacy from the mmWave signals that have penetrated through obstacles. We evaluate mmSpyVR through IRB-approved user studies. Across 22 participants engaged in four experimental scenes utilizing VR devices from three different manufacturers, our system achieves an application recognition accuracy of 98.5\% and keystroke recognition accuracy of 92.6\%. This newly discovered vulnerability has implications across various domains, such as cybersecurity, privacy protection, and VR technology development. We also engage with VR manufacturer Meta to discuss and explore potential mitigation strategies. Data and code are publicly available for scrutiny and research at <a class="link-external link-https" href="https://github.com/luoyumei1-a/mmSpyVR/" rel="external noopener nofollow">this https URL</a>

Cryptography and Security,Computer Vision and Pattern Recognition

Hanqiu Wang,Zihao Zhan,Haoqi Shan,Siqi Dai,Max Panoff,Shuo Wang

2024-09-12

Abstract:The advent and growing popularity of Virtual Reality (VR) and Mixed Reality (MR) solutions have revolutionized the way we interact with digital platforms. The cutting-edge gaze-controlled typing methods, now prevalent in high-end models of these devices, e.g., Apple Vision Pro, have not only improved user experience but also mitigated traditional keystroke inference attacks that relied on hand gestures, head movements and acoustic side-channels. However, this advancement has paradoxically given birth to a new, potentially more insidious cyber threat, GAZEploit. In this paper, we unveil GAZEploit, a novel eye-tracking based attack specifically designed to exploit these eye-tracking information by leveraging the common use of virtual appearances in VR applications. This widespread usage significantly enhances the practicality and feasibility of our attack compared to existing methods. GAZEploit takes advantage of this vulnerability to remotely extract gaze estimations and steal sensitive keystroke information across various typing scenarios-including messages, passwords, URLs, emails, and passcodes. Our research, involving 30 participants, achieved over 80% accuracy in keystroke inference. Alarmingly, our study also identified over 15 top-rated apps in the Apple Store as vulnerable to the GAZEploit attack, emphasizing the urgent need for bolstered security measures for this state-of-the-art VR/MR text entry method.

Human-Computer Interaction,Computer Vision and Pattern Recognition

Yan Meng,Yuxia Zhan,Jiachun Li,Suguo Du,Haojin Zhu,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2024.3426046

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:By providing users with an immersive visual and acoustic experience, virtual reality (VR) serves as a foundational technique for the emerging metaverse. One of the most promising aspects of VR is its ability to protect users' identities by transforming their physical appearances into avatars with arbitrary appearances in the virtual world. However, the increasing threat of de-anonymization attacks that seek to reveal users' identities poses significant privacy risks. We propose AvatarHunter, a non-intrusive and user-unaware de-anonymization attack leveraging victims' inherent movement signatures. AvatarHunter discreetly collects the avatar's gait information by recording videos in the VR scenario without requiring any permissions. Notably, we designed a Unity-based feature extractor that maintains the avatar's movement signature while enabling AvatarHunter to be resistant to changes in the avatar's appearance. We conduct real-world experiments on VRChat to evaluate AvatarHunter's effectiveness. The results demonstrate that in commercial settings, AvatarHunter achieves attack success rates (ASR) of 92.1% and 66.9% in closed-world and open-world avatar scenarios, respectively, significantly surpassing existing benchmarks. Additionally, simulations using an open-source dataset confirm that AvatarHunter can attain over 78% ASR in full-body tracking scenarios. Finally, we discuss several countermeasures and implement an obfuscation mechanism during the avatar rendering phase, significantly reducing the ASR.

Yan Meng,Yuxia Zhan,Jiachun Li,Suguo Du,Haojin Zhu,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/infocom53939.2023.10229062

2023-01-01

Abstract:Virtual reality (VR) can provide users with an immersive experience in the metaverse. One of the most promising properties of VR is that users’ identities can be protected by changing their physical world appearances into arbitrary virtual avatars. However, recent proposed de-anonymization attacks demonstrate the feasibility of recognizing the user’s identity behind the VR avatar’s masking. In this paper, we propose AvatarHunter, a non-intrusive and user-unconscious de-anonymization attack based on victims’ inherent movement signatures. AvatarHunter imperceptibly collects the victim avatar’s gait information via recording videos from multiple views in the VR scenario without requiring any permission. A Unity-based feature extractor is designed that preserves the avatar’s movement signature while immune to the avatar’s appearance changes. Real-world experiments are conducted in VRChat, one of the most popular VR applications. The experimental results demonstrate that AvatarHunter can achieve attack success rates of 92.1% and 66.9% in closed-world and open-world avatar settings, respectively, which are much better than existing works.

Mohd Sabra,Nisha Vinayaga Sureshkanth,Ari Sharma,Anindya Maiti,Murtuza Jadliwala

DOI: https://doi.org/10.48550/arXiv.2301.09041

2023-01-22

Cryptography and Security

Abstract:Virtual Reality (VR) is an exciting new consumer technology which offers an immersive audio-visual experience to users through which they can navigate and interact with a digitally represented 3D space (i.e., a virtual world) using a headset device. By (visually) transporting users from the real or physical world to exciting and realistic virtual spaces, VR systems can enable true-to-life and more interactive versions of traditional applications such as gaming, remote conferencing, social networking and virtual tourism. However, as with any new consumer technology, VR applications also present significant user-privacy challenges. This paper studies a new type of privacy attack targeting VR users by connecting their activities visible in the virtual world (enabled by some VR application/service) to their physical state sensed in the real world. Specifically, this paper analyzes the feasibility of carrying out a de-anonymization or identification attack on VR users by correlating visually observed movements of users' avatars in the virtual world with some auxiliary data (e.g., motion sensor data from mobile/wearable devices held by users) representing their context/state in the physical world. To enable this attack, this paper proposes a novel framework which first employs a learning-based activity classification approach to translate the disparate visual movement data and motion sensor data into an activity-vector to ease comparison, followed by a filtering and identity ranking phase outputting an ordered list of potential identities corresponding to the target visual movement data. Extensive empirical evaluation of the proposed framework, under a comprehensive set of experimental settings, demonstrates the feasibility of such a de-anonymization attack.

Tingjie Wan,Liangyuting Zhang,Yunxin Xu,Zixuan Guo,Boyu Gao,Hai-Ning Liang

DOI: https://doi.org/10.1109/TVCG.2024.3456195

Abstract:Authentication in digital security relies heavily on text-based passwords, even with other available methods like biometrics and graphical passwords. While virtual reality (VR) keyboards are typically invisible to onlookers, the presence of inconspicuous sensors, including accelerometers, gyroscopes, and barometers, poses a potential risk of unauthorized observation and recording. Traditional defense shoulder-surfing attack methods typically involve breaking apart the Qwerty layout, which destroys the user's inherent familiarity with the layout. This research addresses the need for secure password entry in VR environments while retaining the Qwerty layout. We explore three keyboard-related position alteration strategies to ensure security while mitigating the decline in user experience. These strategies involve moving the entire keyboard, cursor, and keys. Our theoretical study assesses the effectiveness of these strategies against shoulder-surfing attacks. Two user studies, employing ray-based and position-based text entry methods, respectively, evaluate the practical effectiveness of the three strategies in resisting shoulder-surfing attacks, as well as their impact on typing performance and user experience. Our findings demonstrate that the three strategies achieve shoulder-surfing attack resistance comparable to a random layout keyboard. Moreover, compared to a random layout, the two strategies involving the movement of the entire keyboard and the repositioning of keys support faster entry rates and enhanced user experience.

Li Lu,Jiadi Yu,Yingying Chen,Yanmin Zhu,Xiangyu Xu,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/infocom.2019.8737591

2019-01-01

Abstract:This paper demonstrates the feasibility of a side-channel attack to infer keystrokes on touch screen leveraging an off-the-shelf smartphone. Although there exist some studies on keystroke eavesdropping attacks on touch screen, they are mainly direct eavesdropping attacks, i.e., require the device of victims compromised to provide side-channel information for the adversary, which are hardly launched in practical scenarios. In this work, we show the practicability of an indirect eavesdropping attack, KeyListener, which infers keystrokes on QWERTY keyboards of touch screen leveraging audio devices on a smartphone. We investigate the attenuation of acoustic signals, and find that a user’s keystroke fingers can be localized through the attenuation of acoustic signals received by the microphones in the smartphone. We then utilize the attenuation of acoustic signals to localize each keystroke, and further analyze errors induced by ambient noises. To improve the accuracy of keystroke localization, KeyListener further tracks finger movements during inputs through phase change and Doppler effect to reduce errors of acoustic signal attenuation-based keystroke localization. In addition, a binary tree-based search approach is employed to infer keystrokes in a context-aware manner. The proposed keystroke eavesdropping attack is robust to various environments without the assistance of additional infrastructures. Extensive experiments demonstrate that the accuracy of keystroke inference in top-5 candidates can approach 90% with a top-5 error rate of around 6%, which is a strong indication of the possible user privacy leakage of inputs on QWERTY keyboard.

Samantha Aziz,Oleg Komogortsev

2024-11-18

Abstract:Virtual reality (VR) devices use a variety of sensors to capture a rich body of user-generated data, which can be misused by malicious parties to covertly infer information about the user. Privacy-enhancing techniques seek to reduce the amount of personally identifying information in sensor data, but these techniques are typically developed for a subset of data streams that are available on the platform, without consideration for the auxiliary information that may be readily available from other sensors. In this paper, we evaluate whether body motion data can be used to circumvent the privacy protections applied to eye tracking data to enable user identification on a VR platform, and vice versa. We empirically show that eye tracking, headset tracking, and hand tracking data are not only informative for inferring user identity on their own, but contain complementary information that can increase the rate of successful user identification. Most importantly, we demonstrate that applying privacy protections to only a subset of the data available in VR can create an opportunity for an adversary to bypass those privacy protections by using other unprotected data streams that are available on the platform, performing a user identification attack as accurately as though a privacy mechanism was never applied. These results highlight a new privacy consideration at the intersection between eye tracking and VR, and emphasizes the need for privacy-enhancing techniques that address multiple technologies comprehensively.

Human-Computer Interaction

Brandon Falk,Yan Meng,Yuxia Zhan,Haojin Zhu

DOI: https://doi.org/10.1145/3460120.3485345

2021-01-01

Abstract:Virtual reality (VR) is on the precipice of entering mainstream entertainment with devices equipped with a multitude of sensing, tracking, and internet capabilities that can reshape the current infotainment industry such as online gaming or conferences with novel features. With VR techniques, the online gamer or conference attendances could choose to keep their identity anonymous by easily altering their appearances (i.e., avatars). However, in this study, we present ReAvatar, a novel de-anonymization attack that identifies users by their virtual avatar via a correlation in specific recorded movements. Using 3D pose estimation, we train a sophisticated machine learning model with user movement data recorded while performing a set of movements in real life and then again with their avatars. We then map correlations between these two sets of movement data using a bespoke agglomerative clustering algorithm and establish relationship between the user's virtual and real-life identity. ReAvatar achieves 89.60% accuracy in detecting a unique user among multiple avatars. The security and privacy implications of this paper will be foundational for users and researchers alike that explore the realm of virtual reality.

Vivek Nair,Gonzalo Munilla Garrido,Dawn Song,James F. O'Brien

DOI: https://doi.org/10.56553/popets-2023-0108

2023-12-13

Abstract:Fifty study participants playtested an innocent-looking "escape room" game in virtual reality (VR). Within just a few minutes, an adversarial program had accurately inferred over 25 of their personal data attributes, from anthropometrics like height and wingspan to demographics like age and gender. As notoriously data-hungry companies become increasingly involved in VR development, this experimental scenario may soon represent a typical VR user experience. Since the Cambridge Analytica scandal of 2018, adversarially designed gamified elements have been known to constitute a significant privacy threat in conventional social platforms. In this work, we present a case study of how metaverse environments can similarly be adversarially constructed to covertly infer dozens of personal data attributes from seemingly anonymous users. While existing VR privacy research largely focuses on passive observation, we argue that because individuals subconsciously reveal personal information via their motion in response to specific stimuli, active attacks pose an outsized risk in VR environments.

Cryptography and Security

Vivek Nair,Christian Rack,Wenbo Guo,Rui Wang,Shuixian Li,Brandon Huang,Atticus Cull,James F. O'Brien,Marc Latoschik,Louis Rosenberg,Dawn Song

2023-06-11

Abstract:Motion tracking "telemetry" data lies at the core of nearly all modern virtual reality (VR) and metaverse experiences. While generally presumed innocuous, recent studies have demonstrated that motion data actually has the potential to uniquely identify VR users. In this study, we go a step further, showing that a variety of private user information can be inferred just by analyzing motion data recorded from VR devices. We conducted a large-scale survey of VR users (N=1,006) with dozens of questions ranging from background and demographics to behavioral patterns and health information. We then obtained VR motion samples of each user playing the game "Beat Saber," and attempted to infer their survey responses using just their head and hand motion patterns. Using simple machine learning models, over 40 personal attributes could be accurately and consistently inferred from VR motion data alone. Despite this significant observed leakage, there remains limited awareness of the privacy implications of VR motion data, highlighting the pressing need for privacy-preserving mechanisms in multi-user VR applications.

Human-Computer Interaction,Cryptography and Security

Sarina Dastgerdy

2024-07-23

Abstract:Various industries have widely adopted Virtual Reality (VR) and Augmented Reality (AR) technologies to enhance productivity and user experiences. However, their integration introduces significant security challenges. This systematic literature review focuses on identifying devices used in AR and VR technologies and specifies the associated vulnerabilities, particularly during the reconnaissance phase and vulnerability assessment, which are critical steps in penetration testing. Following Kitchenham and Charters' guidelines, we systematically selected and analyzed primary studies. The reconnaissance phase involves gathering detailed information about AR and VR systems to identify potential attack vectors. In the vulnerability assessment phase, these vectors are analyzed to pinpoint weaknesses that malicious actors could exploit. Our findings reveal that AR and VR devices, such as headsets (e.g., HTC Vive, Oculus Quest), development platforms (e.g., Unity Framework, Google Cardboard SDK), and applications (e.g., Bigscreen VR, VRChat), are susceptible to various attacks, including remote code execution, cross-site scripting (XSS), eavesdropping, and man-in-the-room attacks. Specifically, the Bigscreen VR application exhibited severe vulnerabilities like remote code execution (RCE) via the 'Application.OpenURL' API, XSS in user inputs, and botnet propagation. Similarly, the Oculus Quest demonstrated susceptibility to side-channel attacks and ransomware. This paper provides a detailed overview of specific device vulnerabilities and emphasizes the importance of the initial steps in penetration testing to identify security weaknesses in AR and VR systems. By highlighting these vulnerabilities, we aim to assist researchers in exploring and mitigating these security challenges, ensuring the safe deployment and use of AR and VR technologies across various sectors.

Cryptography and Security

Jingjie Li,Sunpreet Singh Arora,Kassem Fawaz,Younghyun Kim,Can Liu,Sebastian Meiser,Mohsen Minaei,Maliheh Shirvanian,Kim Wagner

2023-06-04

Abstract:Users readily embrace the rapid advancements in virtual reality (VR) technology within various everyday contexts, such as gaming, social interactions, shopping, and commerce. In order to facilitate transactions and payments, VR systems require access to sensitive user data and assets, which consequently necessitates user authentication. However, there exists a limited understanding regarding how users' unique experiences in VR contribute to their perception of security. In our study, we adopt a research approach known as ``technology probe'' to investigate this question. Specifically, we have designed probes that explore the authentication process in VR, aiming to elicit responses from participants from multiple perspectives. These probes were seamlessly integrated into the routine payment system of a VR game, thereby establishing an organic study environment. Through qualitative analysis, we uncover the interplay between participants' interaction experiences and their security perception. Remarkably, despite encountering unique challenges in usability during VR interactions, our participants found the intuitive virtualized authentication process beneficial and thoroughly enjoyed the immersive nature of VR. Furthermore, we observe how these interaction experiences influence participants' ability to transfer their pre-existing understanding of authentication into VR, resulting in a discrepancy in perceived security. Moreover, we identify users' conflicting expectations, encompassing their desire for an enjoyable VR experience alongside the assurance of secure VR authentication. Building upon our findings, we propose recommendations aimed at addressing these expectations and alleviating potential conflicts.

Cryptography and Security,Human-Computer Interaction

Ismat Jarin,Yu Duan,Rahmadi Trimananda,Hao Cui,Salma Elmalaki,Athina Markopoulou

2024-09-23

Abstract:Virtual reality (VR) platforms enable a wide range of applications, however, pose unique privacy risks. In particular, VR devices are equipped with a rich set of sensors that collect personal and sensitive information (e.g., body motion, eye gaze, hand joints, and facial expression). The data from these newly available sensors can be used to uniquely identify a user, even in the absence of explicit identifiers. In this paper, we seek to understand the extent to which a user can be identified based solely on VR sensor data, within and across real-world apps from diverse genres. We consider adversaries with capabilities that range from observing APIs available within a single app (app adversary) to observing all or selected sensor measurements across multiple apps on the VR device (device adversary). To that end, we introduce BehaVR, a framework for collecting and analyzing data from all sensor groups collected by multiple apps running on a VR device. We use BehaVR to collect data from real users that interact with 20 popular real-world apps. We use that data to build machine learning models for user identification within and across apps, with features extracted from available sensor data. We show that these models can identify users with an accuracy of up to 100%, and we reveal the most important features and sensor groups, depending on the functionality of the app and the adversary. To the best of our knowledge, BehaVR is the first to analyze user identification in VR comprehensively, i.e., considering all sensor measurements available on consumer VR devices, collected by multiple real-world, as opposed to custom-made, apps.

Human-Computer Interaction,Cryptography and Security

Ethan Wilson,Azim Ibragimov,Michael J. Proulx,Sai Deep Tetali,Kevin Butler,Eakta Jain

DOI: https://doi.org/10.1109/tvcg.2024.3372032

IF: 5.2

2024-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Eye tracking is routinely being incorporated into virtual reality (VR) systems. Prior research has shown that eye tracking data, if exposed, can be used for re-identification attacks [14]. The state of our knowledge about currently existing privacy mechanisms is limited to privacy-utility trade-off curves based on data-centric metrics of utility, such as prediction error, and black-box threat models. We propose that for interactive VR applications, it is essential to consider user-centric notions of utility and a variety of threat models. We develop a methodology to evaluate real-time privacy mechanisms for interactive VR applications that incorporate subjective user experience and task performance metrics. We evaluate selected privacy mechanisms using this methodology and find that re-identification accuracy can be decreased to as low as 14% while maintaining a high usability score and reasonable task performance. Finally, we elucidate three threat scenarios (black-box, black-box with exemplars, and white-box) and assess how well the different privacy mechanisms hold up to these adversarial scenarios. This work advances the state of the art in VR privacy by providing a methodology for end-to-end assessment of the risk of re-identification attacks and potential mitigating solutions. f.

computer science, software engineering

Ruxin Wang,Long Huang,Chen Wang

DOI: https://doi.org/10.1109/sp46215.2023.10179367

2023-01-01

Abstract:While Virtual Reality (VR) applications are becoming increasingly common, efficiently verifying a VR device user before granting personal access is still a challenge. Existing VR authentication methods require users to enter PINs or draw graphical passwords using controllers. Though the entry is in the virtual space, it can be observed by others in proximity and is subject to critical security issues. Furthermore, the in-air hand movements or handheld controller-based authentications require active user participation and are not time-efficient. This work proposes a low-effort VR device authentication system based on the unique skull-reverberated sounds, which can be acquired when the user wears the VR device. Specifically, when the user puts on the VR device or is wearing it to log into an online account, the proposed system actively emits an ultrasonic signal to initiate the authentication session. The signal returning to the VR device's microphone has been reverberated by the user's head, which is unique in size, skull shape and mass. We thus extract head biometric information from the received signal for unobtrusive VR device authentication. Though active acoustic sensing has been broadly used on mobile devices, no prior work has ever successfully applied such techniques to commodity VR devices. Because VR devices are designed to provide users with virtual reality immersion, the echo sounds used for active sensing are unwanted and severely suppressed. The raw audio before this process is also not accessible without kernel/hardware modifications. Thus, our work further solves the challenge of active acoustic sensing under echo cancellation to enable deploying our system on off-the-shelf VR devices. Additionally, we show that the echo cancellation mechanism is naturally good to prevent acoustic replay attacks. The proposed system is developed based on an autoencoder and a convolutional neural network for biometric data extraction and recognition. Experiments with a standalone and a mobile phone VR headset show that our system efficiently verifies a user and is also replay-resistant.

Mohd Sabra,Anindya Maiti,Murtuza Jadliwala

DOI: https://doi.org/10.48550/arXiv.2010.12078

2020-10-23

Abstract:Due to recent world events, video calls have become the new norm for both personal and professional remote communication. However, if a participant in a video call is not careful, he/she can reveal his/her private information to others in the call. In this paper, we design and evaluate an attack framework to infer one type of such private information from the video stream of a call -- keystrokes, i.e., text typed during the call. We evaluate our video-based keystroke inference framework using different experimental settings and parameters, including different webcams, video resolutions, keyboards, clothing, and backgrounds. Our relatively high keystroke inference accuracies under commonly occurring and realistic settings highlight the need for awareness and countermeasures against such attacks. Consequently, we also propose and evaluate effective mitigation techniques that can automatically protect users when they type during a video call.

Cryptography and Security,Computer Vision and Pattern Recognition,Human-Computer Interaction