Acoustic Eavesdropping on Keystrokes in Voice-Over-IP Calls

Using audio recordings to later determine what someone was typing has been previously demonstrated, but a group of security researchers recently published a paper analyzing the feasibility of doing so over a voice-over-IP call, such as a Skype call.

According to the abstract,

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

I participate in quite a few conference calls and do two things to avoid issues like this: a) always mute the microphone except when I am actually talking, and b) limit typing as much as possible when my microphone is live (along with the potential security issues, it is annoying to hear people typing while on a call).

A bigger concern is still people recording and then decoding what someone is typing during a physical meeting. One of the advantages of many physical meetings is there are often multiple people typing on laptop keyboards. Switching to a low noise keyboard, like the sort of keyboards used with the iPad Pro or the Surface Pro, are also a way of minimizing how much data can be captured.

(Of course, I’m typing this on a Unicomp mechanical keyboard which I assume would be trivial to eavesdrop on from down the street).

Leave a Reply