zlacker

New acoustic attack steals data from keystrokes with 95% accuracy

submitted by mikece+(OP) on 2023-08-05 16:33:56 | 455 points 227 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
◧◩◪◨
30. ben_w+IA[view] [source] [discussion] 2023-08-05 20:25:06
>>rainco+Bz
Finally, a use for Buffy's Swearing Keyboard.

Or possibly the exact opposite of that, I can't tell if it's a one-to-one mapping on mobile: https://www2.b3ta.com/buffyswear/

(Also, I'm feeling my age now, given how many years have elapsed since that kind of thing passed for internet culture…)

◧◩
56. swid+bG[view] [source] [discussion] 2023-08-05 21:10:08
>>tehsau+5B
Some old TV remotes used to work this way. They were made by Zenith and are called Space Command remotes. Apparently they are the reason TV remotes are sometimes called clickers.

https://www.theverge.com/23810061/zenith-space-command-remot...

69. ariym+zL[view] [source] 2023-08-05 21:56:23
>>mikece+(OP)
Georgi Gerganov created one a few years ago

https://github.com/ggerganov/kbd-audio

85. elderl+EO[view] [source] 2023-08-05 22:25:54
>>mikece+(OP)
In response to this post, I just open sourced a starter project to a variation of this idea: https://github.com/secretlessai/audio-mnist. I've been interested in doing image classification techniques like CNN on audio data for a while.

A couple years ago for a weekend project I made a simple "audio-mnist" dataset from handwritten digit audio recordings. I never got past a few days worth of work, but open-sourcing it has been on my mind for a minute. This post kicked me into action. Getting some more data, basic CNN examples, etc. could provide a nice starting point for a lot of research and tools.

There is still separate code I'd have to find and make intelligible to create the recordings and split the audio.

Anyway, in case anyone finds part of this process interesting or useful.

◧◩◪
90. foobie+5R[view] [source] [discussion] 2023-08-05 22:48:12
>>Tempes+7k
Given your username, you might find this interesting:

https://en.m.wikipedia.org/wiki/Tempest_(codename)

TEMPEST considered almost everything from electromagnetic leakage to exactly the attack described here.

111. snet0+Y11[view] [source] 2023-08-06 00:28:10
>>mikece+(OP)
I did a similar acoustic side-channel attack as final year project at uni. There's a treasure trove of findings in this area, I'm just waiting for someone to combine methodologies. There are pretty good results using geometric models, trained and untrained statistical models like this and others, and combining these features with assorted language models.

Here's a few random papers I read along the way:

https://doi.org/10.1007/s10207-019-00449-8 - SonarSnoop, which uses a phone's speaker to produce ultrasonic audio that can be used to profile the user's interaction (e.g. entering swipe-based passcodes).

https://people.eecs.berkeley.edu/~daw/papers/ssh-use01.pdf - "Timing Analysis of Keystrokes and Timing Attacks on SSH", a paper from 2001 that uses statistical models of keystroke timings to retrieve passwords from encrypted SSH traffic.

https://doi.org/10.1145/1609956.1609959 - "Keyboard acoustic emanations revisited", which uses hidden Markov models and some other English language features to recover text based on classification via cepstrum features.

https://doi.org/10.1145/2660267.2660296 - "Context-free Attacks Using Keyboard Acoustic Emanations" which uses a geometric approach, using time-difference-of-arrival to estimate physical locations probabilistically.

112. antega+821[view] [source] 2023-08-06 00:30:22
>>mikece+(OP)
This is hardly a new concept btw.

In 2005 ACM's CCS Zhuang, Zhou and Tygar presented Keyboard Acoustic Emanations Revisited [1]

    We examine the problem of keyboard acoustic emanations. We
    present a novel attack taking as input a 10-minute sound recording
    of a user typing English text using a keyboard, and then recovering 
    up to 96% of typed characters. There is no need for a labeled
    training recording. Moreover the recognizer bootstrapped this way
    can even recognize random text such as passwords: In our experiments, 
    90% of 5-character random passwords using only letters can
    be generated in fewer than 20 attempts by an adversary; 80% of 10-
    character passwords can be generated in fewer than 75 attempts.
    Our attack uses the statistical constraints of the underlying content, 
    English language, to reconstruct text from sound recordings
    without any labeled training data. The attack uses a combination
    of standard machine learning and speech recognition techniques,
    including cepstrum features, Hidden Markov Models, linear classification, 
    and feedback-based incremental learning
which builds up on Asonov & Agrawal's work [2] who came up with the idea the previous year (2004).

    We show that PC keyboards, notebook keyboards, telephone 
    and ATM pads are vulnerable to attacks based on
    differentiating the sound emanated by different keys. Our
    attack employs a neural network to recognize the key being 
    pressed. We also investigate why different keys produce
    different sounds and provide hints for the design of homophonic 
    keyboards that would be resistant to this type of attack.
[1] https://dl.acm.org/doi/10.1145/1609956.1609959

[2] https://ieeexplore.ieee.org/document/1301311

◧◩
127. 6510+hd1[view] [source] [discussion] 2023-08-06 02:25:29
>>antega+821
maybe...

https://news.mit.edu/2014/algorithm-recovers-speech-from-vib...

◧◩
157. blharr+Jq1[view] [source] [discussion] 2023-08-06 05:24:50
>>sandwo+qn1
The bank pin UI from the game RuneScape comes to mind. https://imgur.io/UAgrY7e?r

The locations of the numbers move around to prevent mouseloggers from recording your movements.

It seems like any way of doing it would end up slowing down the typist though. If it is just for the password, I could see it being possible, but if you're dealing with lots of information that needs to be protected, then it seems impossible.

◧◩◪◨⬒⬓⬔⧯
180. dasyat+cz1[view] [source] [discussion] 2023-08-06 07:28:57
>>somepl+981
You want https://github.com/zevv/bucklespring then.

Lagniappe: “To temporarily silence bucklespring, for example to enter secrets, press ScrollLock twice”

◧◩◪◨
207. angry_+t02[view] [source] [discussion] 2023-08-06 12:58:05
>>cmod+lx1
High security safe locks have had protection against this for a long time: you press up/down arrows to move from a random starting digit to the correct digit.

On screen pin entry with jumbled number mappings does the same thing. It also makes the inter-stroke delay rather independent of position, because the brain has to search the screen (although repeated digits and previously occuring digits are quicker, which is why some jumble at every keystroke).

Keyboards with OLED keys (like the Apple Touchbar or the Optimus[1]) might also work.

[1] https://www.artlebedev.com/optimus/popularis/

◧◩◪◨⬒⬓
208. assbut+H02[view] [source] [discussion] 2023-08-06 12:59:15
>>harles+zx1
I don't think that's quite right. Many switches including tactiles will make a sound when the switch tops out, from the stem hitting the housing.

As far as I know, Cherry blues only click once and the second sound you hear on a keypress is just the topping out sound.

https://cdn-blog.adafruit.com/uploads/2016/09/Blue.gif

210. angry_+122[view] [source] 2023-08-06 13:09:26
>>mikece+(OP)
There's a great scene in Le chant du Loup (The Wolf's Call) a French 2019 submarine flick (at one point on Netflix) where the sonar guy hears a password typed and reconstructs it from the sound of each keystroke.

https://youtu.be/a9Gz7Bg07u8

This attack is about as realistic as the film: a parallel universe where million to one chances happen nine times out of ten.

[go to top]