Tuesday, December 3, 2024
HomeCyber Security NewsNew Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

Published on

SIEM as a Service

In recent years, personal data security has surged in importance due to digital device usage. Side-channel attacks exploit system side effects to gather information. 

Electronic emissions are a known vulnerability to such attacks. Acoustic side-channel attacks are particularly threatening. In this attack, threat actors utilize the device’s sound emissions to extract sensitive data.

Cybersecurity researchers, Alireza Taheritajar and Reza Rahaeimehr from Augusta University recently discovered a new acoustic keyboard side-channel attack that lets hackers steal sensitive data.

- Advertisement - SIEM as a Service

Acoustic Keyboard Side Channel Attack

Keyboard acoustic side-channel attacks enable threat actors to remotely capture keystroke sounds through microphones and analyze waveforms to determine sensitive information like timing and intensity.

They exploit this data despite background noise challenges, utilizing techniques like statistical analysis, machine learning, signal processing, acoustic triangulation, and Time Difference of Arrival (TDoA).

This made some past studies to limit environmental conditions or ignore irregularities that could interfere with the results. 

However, noise from the surroundings and typing habits of a user are among those factors that are often not considered though they can change how people use keys leading to variations in recognition accuracy.

number of letters on the success rate

This is further complicated by interactions between models and other attributes of emissions that do not have uniform patterns, as well as their dependence on environmental circumstances. 

It also provides an opportunity for keyboard models themselves to spoil up algorithms when altered due to special sound features.

In recent times deep learning approaches bring further complexity to obtaining consistent outcomes. 

In this paper, researchers proposed another approach aimed at eliminating these drawbacks.

It consists of capturing keystroke audio, extracting timing data, training a statistical model for prediction, testing on unknown recordings, and enhancing results with an English dictionary. 

The interface of the data gathering software (Source – Arxiv)

The proposed method analyses typing patterns so as to be able to predict words even in real environments where there is noise and without limiting the keyboard models used.

Researchers’ method assumes identifying the victim, but ours isn’t limited to specific keyboard brands.

They expect victims to work in quiet rooms, allowing noise control through signal processing. 

They gather typing samples, text, and ambient noise to train statistical models.

Analysts assume an oracle can split audio into word files, which is realistic as users often generate distinct sounds by pressing the Enter or Space keys after typing.

A Windows app written in C# by experts to record keystroke sounds under three conditions:- 

  • Users just typing
  • Researchers typing sentences
  • Developers using normal words

Different sentences and words were chosen to represent various styles and trends of English typing.

Researchers conducted an IRB-approved study to collect typing patterns from 20 adult users, ensuring confidentiality and anonymity. 

Datasets included common English words to measure word length’s impact on prediction accuracy.

Visual representation in Figure 5 shows success rates increasing with word length up to six letters, then plateauing.

The researchers are trying to reduce reliance on environmental conditions in their approach, but accurately capturing the keyboard sounds is very important for precise keystroke identification. 

Acoustic detection methods rely on the production of sufficient sound by keyboards in order to overcome challenges with softer keys that may lower the accuracy. 

The technique supposes that users maintain consistent and recognizable typing patterns when constructing datasets. 

In this way, it is possible to deduce whether a certain key was pressed or not based on the variance between different key presses on the same computer.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...