September 27, 2016
Research proposes background noise to prevent side channel attacks on computer keyboards
Between email, social media accounts, utilities, and banking and credit card accounts, the average person has 27 discrete online logins used to log into personal and professional computers, and security experts spend countless hours researching and recreating every potential strategy attackers could use to gain access to personal information.
Researchers at the University of Alabama at Birmingham have developed a solution to combat acoustic side channel attacks on computer keyboards by using active sounds.
Acoustic side channel attacks record the sounds that come from computer keyboards by using covertly placed microphones. Each key pressed emits a unique sound that makes it possible for an attacker to identify what is being typed by using frequency features.
In a paper presented at the 2016 Financial Cryptography and Data Security conference, led by the International Financial Cryptography Association, Associate Professor Nitesh Saxena, Ph.D., and doctoral student S Abhishek Anand propose using various background sounds to mask audio leakage from keyboards as a practical defense to prevent acoustic side channel attacks.
"While an acoustic side channel attack may not fully recover the keystroke information, various statistical methods make it possible to reconstruct the information typed by a user," Saxena said. "Given the prevalence of low-cost microphones and the potential for invisible audio monitoring, keyboard acoustic attacks present a valid threat to user security and privacy. While research toward creating this type of attack is still ongoing, work to build a defense against such an attack has been lacking."
The accuracy of this type of side channel attack is generally high. While recreating an acoustic side channel attack, Anand and Saxena found the average accuracy rate of detecting correct characters in a random six-character password was 66 percent.
Previous solutions proposed by researchers include sound-free keyboards, homophonic mechanical keyboards that produce similar clicks for each key pressed, and soundproof rooms to protect highly sensitive information.
However, the authors argue that these solutions are not feasible due to the cost of producing such keyboards and how they will hold up over time, as well as the existence of high-power microphones that can overcome soundproofing. Anand and Saxena's solution consists of a software-based mechanism that can be incorporated into a user's personal computer and emits a masking signal at the same time a user types in their password. The mechanism can be turned on and off automatically or by the user.
To test its effectiveness, Anand and Saxena developed three authentication systems that required users to input passwords. Participants were recruited to input passwords of their own choosing to gain access to the system. White noise, fake keystrokes and a combination of the two were played in the background while each user entered their six-character passwords.
"We found that fake keystrokes performed better at masking acoustic leakage than white noise; however, white noise provided the least distraction for users while they entered their passwords," Saxena said. "The combination of noises proved to be the most effective and the least distractive for the users."
While the current built-in mechanism is designed to emit sound when the first key is pressed for password entry, it can also be connected to the URLs of websites that require a login. This solution could also be deployed via smartphones by downloading an application that emits noise and placing the device next to your keyboard while entering a password.
More information: A Sound for a Sound: Mitigating Acoustic Side Channel Attacks on Password Keystrokes with Active Sounds: fc16.ifca.ai/preproceedings/21_Anand.pdf