1 research outputs found
Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP.
Acoustic emanations of computer keyboards represent a serious privacy issue.
As demonstrated in prior work, physical properties of keystroke sounds might
reveal what a user is typing. However, previous attacks assumed relatively
strong adversary models that are not very practical in many real-world
settings. Such strong models assume: (i) adversary's physical proximity to the
victim, (ii) precise profiling of the victim's typing style and keyboard,
and/or (iii) significant amount of victim's typed information (and its
corresponding sounds) available to the adversary.
This paper presents and explores a new keyboard acoustic eavesdropping attack
that involves Voice-over-IP (VoIP), called Skype & Type (S&T), while avoiding
prior strong adversary assumptions. This work is motivated by the simple
observation that people often engage in secondary activities (including typing)
while participating in VoIP calls. As expected, VoIP software acquires and
faithfully transmits all sounds, including emanations of pressed keystrokes,
which can include passwords and other sensitive information. We show that one
very popular VoIP software (Skype) conveys enough audio information to
reconstruct the victim's input -- keystrokes typed on the remote keyboard. Our
results demonstrate that, given some knowledge on the victim's typing style and
keyboard model, the attacker attains top-5 accuracy of 91.7% in guessing a
random key pressed by the victim.
Furthermore, we demonstrate that S&T is robust to various VoIP issues (e.g.,
Internet bandwidth fluctuations and presence of voice over keystrokes), thus
confirming feasibility of this attack. Finally, it applies to other popular
VoIP software, such as Google Hangouts.Comment: To appear in ACM Asia Conference on Computer and Communications
Security (ASIACCS) 2017. 13 pages, 17 figure