Tuesday, July 23, 2024

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device usage. Side-channel attacks exploit system side effects to gather information. 

Electronic emissions are a known vulnerability to such attacks. Acoustic side-channel attacks are particularly threatening. In this attack, threat actors utilize the device’s sound emissions to extract sensitive data.

Cybersecurity researchers, Alireza Taheritajar and Reza Rahaeimehr from Augusta University recently discovered a new acoustic keyboard side-channel attack that lets hackers steal sensitive data.

Acoustic Keyboard Side Channel Attack

Keyboard acoustic side-channel attacks enable threat actors to remotely capture keystroke sounds through microphones and analyze waveforms to determine sensitive information like timing and intensity.

They exploit this data despite background noise challenges, utilizing techniques like statistical analysis, machine learning, signal processing, acoustic triangulation, and Time Difference of Arrival (TDoA).

This made some past studies to limit environmental conditions or ignore irregularities that could interfere with the results. 

However, noise from the surroundings and typing habits of a user are among those factors that are often not considered though they can change how people use keys leading to variations in recognition accuracy.

number of letters on the success rate

This is further complicated by interactions between models and other attributes of emissions that do not have uniform patterns, as well as their dependence on environmental circumstances. 

It also provides an opportunity for keyboard models themselves to spoil up algorithms when altered due to special sound features.

In recent times deep learning approaches bring further complexity to obtaining consistent outcomes. 

In this paper, researchers proposed another approach aimed at eliminating these drawbacks.

It consists of capturing keystroke audio, extracting timing data, training a statistical model for prediction, testing on unknown recordings, and enhancing results with an English dictionary. 

The interface of the data gathering software (Source – Arxiv)

The proposed method analyses typing patterns so as to be able to predict words even in real environments where there is noise and without limiting the keyboard models used.

Researchers’ method assumes identifying the victim, but ours isn’t limited to specific keyboard brands.

They expect victims to work in quiet rooms, allowing noise control through signal processing. 

They gather typing samples, text, and ambient noise to train statistical models.

Analysts assume an oracle can split audio into word files, which is realistic as users often generate distinct sounds by pressing the Enter or Space keys after typing.

A Windows app written in C# by experts to record keystroke sounds under three conditions:- 

  • Users just typing
  • Researchers typing sentences
  • Developers using normal words

Different sentences and words were chosen to represent various styles and trends of English typing.

Researchers conducted an IRB-approved study to collect typing patterns from 20 adult users, ensuring confidentiality and anonymity. 

Datasets included common English words to measure word length’s impact on prediction accuracy.

Visual representation in Figure 5 shows success rates increasing with word length up to six letters, then plateauing.

The researchers are trying to reduce reliance on environmental conditions in their approach, but accurately capturing the keyboard sounds is very important for precise keystroke identification. 

Acoustic detection methods rely on the production of sufficient sound by keyboards in order to overcome challenges with softer keys that may lower the accuracy. 

The technique supposes that users maintain consistent and recognizable typing patterns when constructing datasets. 

In this way, it is possible to deduce whether a certain key was pressed or not based on the variance between different key presses on the same computer.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles