Researchers have known for a long time that acoustic signals from keyboards can be intercepted and used to spy on users, but those attacks rely on grabbing the electronic emanation from the keyboard. New research from the University of California Irvine shows that an attacker, who has not compromised a target’s PC, can record the acoustic emanations of a victim’s keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.
The researchers found that when connected to a target user on a Skype call, they could record the audio of the user’s keystrokes. With a small amount of knowledge about the victim’s typing style and the keyboard he’s using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim’s machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it’s on.
“Skype is used by a huge number of people worldwide,” said Gene Tsudik, Chancellor’s Professor of computer science at UCI, and one of the authors of the new paper. “We have shown that during a Skype video or audio conference, your keystrokes are subject to recording and analysis by your call partners. They can learn exactly what you type, including confidential information such as passwords and other very personal stuff.”
As the researchers point out, a lot of people who are on Skype calls do other things while they’re connected. They send emails, chat messages, or take notes, and the keystrokes produce sounds that are transmitted to the other parties on the call. While many people use Skype and other VoIP apps to talk to friends around the world, these apps also are used for business meetings and the parties on the calls may not always be friends. If an attacker has a bit of knowledge about what kind of computer the target is using, he would be well on his way.
“It’s possible to build a profile of the acoustic emanation generated by each key on a given keyboard,” Tsudik said. “For example, the T on a MacBook Pro ‘sounds’ different from the same letter on another manufacturer’s product. It also sounds different from the R on the same keyboard, which is right next to T.”
Even without knowing anything about the keyboard the victim is using, or his typing style, an attacker still has about a 42 percent chance of guessing which key the target is pressing. The keyboards on touch screens aren’t vulnerable to this kind of attack, which the researchers call Skype & Type.
“S&T attack transpires as follows: during a VoIP call between the victim and the attacker, the former types something on target-device, e.g., a password, that we refer to as targettext. Typing target-text causes acoustic emanations from targetdevice’s keyboard, which are then picked up by the targetdevice’s microphone and transmitted to the attacker by VoIP. The goal of the attacker is to learn the target-text by taking advantage of these emanations,” the paper, entitled “Don’t Skype & Type! Acoustic Eavesdropping in Voice-Over-IP”, says.
One potential use for this attack would be to record a user typing a password into a given site or application. The researchers say that their attack could greatly reduce the amount of effort an attacker would need to exert in order to get a victim’s password versus a typical brute-force attack. There are some countermeasures to the researchers’ new attack, including adding extra noise to the channel as the user types.
“A simple countermeasure to our attack could be a short ‘ducking’ effect, a technique where we greatly reduce the volume of the microphone and overlap it with a different sound, when a keystroke is detected. However, this could ruin the quality of the voice call, as the voice is removed in its entirety as well. An effective countermeasure should be less intrusive as possible, and disrupt only the sound of the keystrokes, avoiding to ruin the call of the user,” the paper says.