Acoustic Eavesdropping on Keystrokes in Voice-Over-IP Calls

Using audio recordings to later determine what someone was typing has been previously demonstrated, but a group of security researchers recently published a paper analyzing the feasibility of doing so over a voice-over-IP call, such as a Skype call.

According to the abstract,

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

I participate in quite a few conference calls and do two things to avoid issues like this: a) always mute the microphone except when I am actually talking, and b) limit typing as much as possible when my microphone is live (along with the potential security issues, it is annoying to hear people typing while on a call).

A bigger concern is still people recording and then decoding what someone is typing during a physical meeting. One of the advantages of many physical meetings is there are often multiple people typing on laptop keyboards. Switching to a low noise keyboard, like the sort of keyboards used with the iPad Pro or the Surface Pro, are also a way of minimizing how much data can be captured.

(Of course, I’m typing this on a Unicomp mechanical keyboard which I assume would be trivial to eavesdrop on from down the street).

Unicomp Space Saver Keyboard

Back when I was a kid, we didn’t have these crappy mushy USB keyboards. We had keyboards that took up most of the desktop, weighed 15 pounds and sounded like a dot matrix printer going full bore when you were typing on it. And we liked it!

Seriously, I type about 150 WPM and detest most keyboards made over the past 10 years. I finally got fed up with this a few weeks ago and decided to go find an old school clicky keyboard. After a bit of research on the Internet, I hit up the Unicomp site.

Unicomp makes keyboards based on technology from Lexmark International which manufactured all of those wonderful keyboards for IBM back in the day. And their keyboards are every bit the awesomeness that I remember from hacking away at an IBM PC during a summer job at the Department of Defense in 1984.

I bought the space saver keyboard below for $69. The “space saver” designation is a bit of a misnomer as this keyboard is larger than most of the recent keyboards I used. Its just not as ginormous as the full-sized IBM-style keyboards which are fraking huge.

It definitely has that clicky-ness to it that some people apparently find annoying, but it is not so loud as to disturb anyone unless you have extremely oversensitive coworkers or roommates. Otherwise, the bottom line is this is simply how a keyboard should be.