Eavesdropping on Typing Over Voice-Over-IP

Interesting research: "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP":

Abstract: Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary's physical proximity to the victim, (ii) precise profiling of the victim's typing style and keyboard, and/or (iii) significant amount of victim's typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim's input ­ keystrokes typed on the remote keyboard. In particular, our results demonstrate
that, given some knowledge on the victim's typing style and the keyboard, the attacker attains top-5 accuracy of 91:7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41:89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

News article.

Posted on October 28, 2016 at 5:24 AM • 15 Comments

Comments

Clive RobinsonOctober 28, 2016 11:12 AM

Now if mu poor aged brain remembers correctly, when MicroSoft bought Skype they made some changes...

One of which was that it had to go through MS's servers and secondly they changed the encryption.

Which begs the question "Is MS or their friends listening in" to your conversations? And if as seams likely they can, if they will implement a similar system to grab keystrokes?

If they do then it appears to fit right in withtheir "Win 10 Collects it all, and phones it home" mentality.

http://arstechnica.com/information-technology/2016/07/skype-finalizes-its-move-to-the-cloud-ignores-the-elephant-in-the-room/

Ross SniderOctober 28, 2016 1:18 PM

@Clive Robinson

Wasn't it quite clear from the Snowden Disclosures that the modifications that Microsoft made to Skype enabled them to listen at scale?

Clive RobinsonOctober 28, 2016 3:24 PM

@ Ross Snider,

Wasn't it quite clear from the Snowden Disclosures...

To my mind and probably your's as well "yes", but to some anything the Ed Snowden disclosures / revelations say is suspect, or false flag or lies etc etc etc.

The fact is there was and is evidence independent of the Snowden trove which can be seen fairly easily and does not require much of the "two pluss two" thinking to come up with a worrying answer.

Oh and of course in more recent times we have seen Micro$hafts contempt for people via Win10, as what you might call corroborating evidence.

But I suspect someone will come along and say "No you are wrong, they would never do that..." or similar, such is the way of the world.

Ross SniderOctober 28, 2016 5:18 PM

@Clive Robinson

Agreed. Unfortunately people being duped at scale by fell funded disinformation campaigns (PR firms, etc) is going to be a hard problem to fix. If the Snowden revelations and corroborating evidence isn't enough to discredit well funded misleading narratives: I'm not really sure what will. Effectively we have multiple very large powers with a joint interest in there being a perception that is at odds with the reality. While familiar territory, I don't know if there's a particularly good playbook that can't be co-opted, discredited or drowned out at some level.

We can very confidently confirm that Skype has been backdoored to hell by Microsoft and intelligence partners. But winning the battle for mass acknowledgement of that fact is difficult, requires immense resources, and requires stepping on the toes of people willing to (at some level of necessity) utilize executive privileges and the full spectrum of law, order and force to its defense.

Winning the battle of mass acknowledgement I think is important, but it isn't a prerequisite for confidently confirming it. Indeed, waiting for mass acknowledgement is a cognitive fallacy (appeal to the masses).

Preach it, and feel sorry for rather than discouraged by the victims of propaganda.

CallMeLateForSupperOctober 29, 2016 12:45 PM

"Don't Skype & Type!"

I think I would have written "Mute the Mic Before You Type on Skype!"

(Skype doesn't tempt me. Very nearly all sessions I have seen on TV had garbled, stuttering audio and video.)

AnonOctober 30, 2016 12:50 AM

Call me paranoid, but for years I have avoided typing anything that matters whilst talking, for exactly this reason.

Does anyone still use Skype? LOL

AnonOctober 30, 2016 12:55 AM

@CallMeLateForSupper: does muting the mic block it at the sound input/hardware level, or does Skype still send it to MS, but not to those in the call?

I'm very skeptical of software muting.

I much prefer to use in-line hardware switches that physically disconnects the mic.

TomTrottierOctober 30, 2016 3:03 AM

They used the microphone in the laptop. This probably leads to a lot of different, tho small, echos inside the case, as well as providing a louder sound. I imagine a headset would be a lot harder to subvert, especially with more ambient noise from an office or lobby.

TomTrottierOctober 30, 2016 3:13 AM

They also used only the alphabetic keys, so identifying numerics & shifted characters would be harder.
Ditto for the English dictionary they used - good passwords won't be in there.
One mitigation they did not mention would be for the computer to add random noise whenever it detects a keystroke.

Jimbo BlogginsOctober 30, 2016 4:25 AM

Passwords are probably of most interest as they are entered at predicatable and distinct times. Knowing the length and pattern of keystrokes narrows down any brute force attack considerably. The sound wave collection of password entry could be further improved by adding a smart material to keyboards.

Plus the cops also have insight into poor passwords as they are quite used to cheap antiquated databases and faxing off hand written reports to the data entry department. Likely someone with a background in law enforcement has landed in intelligence and ponted out that crappy systems, bad security practices and poor typing skills are widespread.

SJOctober 31, 2016 1:14 PM

@Anon,
Does anyone still use Skype? LOL

Some corporations that I am aware of use Skype-for-Business.

Whatever its differences from other versions of Skype, it likely still exposes the keystrokes-over-audio-channel data.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.