Eyeglass Reflections Can Expose Sensitive Data During Video Calls
A team of researchers from the University of Michigan (USA) and Zhejiang University (China) has warned that people who wear glasses should be extra cautious during video calls and conferences. The reason: confidential information displayed on your screen can be reflected in your eyeglass lenses and potentially deciphered by others.
With the onset of the COVID-19 pandemic and the widespread shift to remote work, video conferencing has become commonplace. The researchers argue that the resulting privacy issues deserve attention, which is why they focused on this unusual attack vector.
How Attackers Can Steal Data Through Eyeglass Reflections
According to the researchers, platforms like Zoom and other video conferencing tools can be exploited by malicious actors to capture information that is accidentally reflected in objects such as eyeglasses.
“Our models and experimental results in controlled lab conditions show that, using a 720p webcam, it is possible to reconstruct and recognize with over 75% accuracy text on a screen as small as 10 mm in height,” the scientists wrote. “Our study involving 20 participants demonstrates that modern 720p webcams are sufficient for attackers to reconstruct textual content from websites with large fonts.”
The researchers also found that attackers could use this technique to identify which websites victims are visiting. When the goal was to identify only the specific site visible in the reflection, they were able to recognize 94% of the top 100 Alexa-ranked websites.
Moreover, the experts believe that 4K webcams will make it easy to reconstruct most text headlines on popular websites and in some documents.
Factors Affecting the Risk
Several factors can influence how easily text can be distinguished in eyeglass reflections. These include the participant’s skin tone, ambient lighting intensity, screen brightness, the contrast between text and background on the webpage or app, and the characteristics of the eyeglass lenses themselves.
“We believe that possible attack vectors range from everyday discomfort (for example, a boss monitoring what employees are viewing during a work video meeting) to more serious business scenarios where reflections could lead to the leakage of important information during negotiations,” the report states.
How to Reduce the Risk
To mitigate these risks, the researchers suggest using software that can blur the eyeglass area in the video frame. Some video conferencing solutions already offer such features, though they are not yet fully developed. The experts have even created their own real-time eyeglass blurring filter, and its code is available on GitHub.