What's that noise? The sound of attackers logging your keystrokes via Skype

Acoustic emanations, why won’t you stop threatening our passwords?

Skype

Attackers could theoretically leverage Skype to steal a user's passwords by collecting and analyzing the sound of their keystrokes.

The method of attack developed by researchers at the Sapienza University of Rome, University of Padua, and UC Irvine isn't like most sound-based keylogging efforts, which generally require that the attacker makes use of other connected devices, maintains close proximity to the target computer, or first infects it with malware.

Instead this attack relies on an actor remotely eavesdropping on the acoustic emanations of a user's keystrokes and analyzing them in order to reconstruct the target's input.

Sounds complicated, but as the researchers note in their paper - entitled "Don't Skype & Type (S&T)! Acoustic Eavesdropping in Voice-Over-IP" - it's easy enough to do during a Voice over Internet Protocol (VoIP) call like Skype.

"S&T attack transpires as follows: during a VoIP call between the victim and the attacker, the former types something on target-device, e.g., a password, that we refer to as targettext. Typing target-text causes acoustic emanations from targetdevice’s keyboard, which are then picked up by the targetdevice’s microphone and transmitted to the attacker by VoIP. The goal of the attacker is to learn the target-text by taking advantage of these emanations."

Screen shot 2016 10 20 at 9.01.48 am

For the attack to work, both the attacker and victim need to have an uncompromised device connected to each other via a Skype call.

Now this could go one of several ways. The attacker could have a complete profile of their victim, that is, recordings of keystrokes the user has typed in as well as the plaintext script of that input. In that scenario, it would be relatively easy for an attacker to extract the acoustic emanations, segment the data, identify the wave forms, and classify the keys according to that data.

Screen shot 2016 10 20 at 9.13.12 am

Indeed, with a complete profile, researchers found attackers could accurately guess a key with a 91.7 percent rate of accuracy.

But not all attacks are that easy. Sometimes the attacker might not have any information about the user and might need to collect acoustic emanations from them with the help of an accomplice. Other times, they might need to rely on a database of other users typing on the same target device.

In that latter case specifically, the accuracy rate drops down to 41.87 percent. Not bad for a complete lack of data about the user.

7944886444 2603104c46 b

It's important to note there a few limitations that raise questions about this attack method's real-world applicability. These are as follows:

  1. An attacker and victim must connect to a call via Skype. (Let's hope users are only connecting with people whom they trust on VoIP sessions.)
  2. An actor must identify what type of device the target is using because each key produces a different sound on a different laptop.
  3. If the attacker doesn't have information about their target, they must rely on a database of other users typing on the same type of device, a resource which might be difficult to procure.
  4. The attack assumes the user doesn't speak loudly so as to interfere with the keystroke's acoustic emanations.

But where there's a will, there's a way. That's why users should never type out sensitive information like passwords when they're on a Skype call.

Simple and easy prevention at its best!

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

5 Responses

  1. simon

    October 21, 2016 at 10:08 am #

    finally, a security benefit of using an iPad :)

  2. Ian

    October 21, 2016 at 1:48 pm #

    or use a password manager with Autotype, such as Keepass.

  3. graphicequaliser

    October 21, 2016 at 2:09 pm #

    My advice – always Skype at loud parties or live gigs!

  4. Simon

    October 21, 2016 at 9:18 pm #

    You can also enabled 2SV on your Microsoft account,

    https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-skype/

    or perhaps use Signal.

  5. Complyant

    February 26, 2017 at 10:59 pm #

    What's worse is that it seems there's definitely an ongoing security breach at Skype. Users have been complaining for years of Baidu spam. Skype /Microsoft always respond that they should change their password/ blaming a Linked In breach /then most recently weak passwords on the old Skype account for linked accounts (why the hell weren't these disabled???). However, the messages are appearing when accounts are NOT logged in (according to the MSN history https://account.live.com/Activity). This thread on the Skype Community forum hints at other sources such as man-in-the-middle attacks, human support centre process issues and stealing of credentials, with even security professionals (20 char long passwords, changed regularly) being hit:

    https://community.skype.com/t5/Security-Privacy-Trust-and/It-is-OFFICIAL-skype-has-a-security-bug/td-p/4508198/page/3

Leave a Reply