Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP

[Batu69]

Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary's physical proximity to the victim, (ii) precise profiling of the victim's typing style and keyboard, and/or (iii) significant amount of victim's typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls.

 

VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim's input -- keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim's typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard).

 

Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

 

Article source

[straycat19]

I have serious reservations concerning the claims made in this article and my previous experience with acoustics of dialpads on various devices which emit a distinguishing sound that can be equated with a specific key.  We spent some serious time and money on this specific subject before we started replacing our PBX with VOIP.  Matter of fact it was 8 years between the wiring installation and the actual implementation. Membrane keyboards don't emit any sound unless there is a program associated with it that emits key clicks.  Mechanical keyboards make a sound but you can't differentiate between an A and Z or any other key.  This article falls somewhere between fantasy and science fiction.  For example this is the keystrokes for my administrator login/password for work, each 1 is a keypress: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1  (should be 57 x 1 there) and one of 1s represents the enter key because I type in my login, hit enter, and keep typing the password without any change in the speed of typing.  For each one that would be a click as I use a mechanical keyboard, so expressing it as a 1 or letting you hear an audio file of click click click click....  would not help you figure out anything, except I am pressing a key.