Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Practical Acoustic Eavesdropping On Typed Passphrases

Darren Fürst, Andreas Aßmuth

TL;DR

This work investigates the feasibility of acous­tic side-channel eavesdropping on keyboard typing to recover passphrases used for cloud authentication through unsupervised learning, avoiding labeled training data. By comparing cross-correlation preprocessing with MFCC and FFT features, it demonstrates that cross-correlation on raw audio yields strong keystroke clustering, enabling partial passphrase recovery and dictionary-based demodulation. The authors extend a prior dictionary-demodulation approach to acoustic data, generating 30 natural-language passphrases from a Diceware-style wordlist and showing that multiple clustering runs markedly improve full recoveries, which can then seed targeted brute-force searches. This non-intrusive attack vector poses meaningful security risks for passphrase-based access and motivates stronger multi-factor authentication and more randomised, complex passphrases, along with further refinements in preprocessing and probabilistic clustering techniques.

Abstract

Cloud services have become an essential infrastructure for enterprises and individuals. Access to these cloud services is typically governed by Identity and Access Management systems, where user authentication often relies on passwords. While best practices dictate the implementation of multi-factor authentication, it's a reality that many such users remain solely protected by passwords. This reliance on passwords creates a significant vulnerability, as these credentials can be compromised through various means, including side-channel attacks. This paper exploits keyboard acoustic emanations to infer typed natural language passphrases via unsupervised learning, necessitating no previous training data. Whilst this work focuses on short passphrases, it is also applicable to longer messages, such as confidential emails, where the margin for error is much greater, than with passphrases, making the attack even more effective in such a setting. Unlike traditional attacks that require physical access to the target device, acoustic side-channel attacks can be executed within the vicinity, without the user's knowledge, offering a worthwhile avenue for malicious actors. Our findings replicate and extend previous work, confirming that cross-correlation audio preprocessing outperforms methods like mel-frequency-cepstral coefficients and fast-fourier transforms in keystroke clustering. Moreover, we show that partial passphrase recovery through clustering and a dictionary attack can enable faster than brute-force attacks, further emphasizing the risks posed by this attack vector.

Practical Acoustic Eavesdropping On Typed Passphrases

TL;DR

This work investigates the feasibility of acous­tic side-channel eavesdropping on keyboard typing to recover passphrases used for cloud authentication through unsupervised learning, avoiding labeled training data. By comparing cross-correlation preprocessing with MFCC and FFT features, it demonstrates that cross-correlation on raw audio yields strong keystroke clustering, enabling partial passphrase recovery and dictionary-based demodulation. The authors extend a prior dictionary-demodulation approach to acoustic data, generating 30 natural-language passphrases from a Diceware-style wordlist and showing that multiple clustering runs markedly improve full recoveries, which can then seed targeted brute-force searches. This non-intrusive attack vector poses meaningful security risks for passphrase-based access and motivates stronger multi-factor authentication and more randomised, complex passphrases, along with further refinements in preprocessing and probabilistic clustering techniques.

Abstract

Cloud services have become an essential infrastructure for enterprises and individuals. Access to these cloud services is typically governed by Identity and Access Management systems, where user authentication often relies on passwords. While best practices dictate the implementation of multi-factor authentication, it's a reality that many such users remain solely protected by passwords. This reliance on passwords creates a significant vulnerability, as these credentials can be compromised through various means, including side-channel attacks. This paper exploits keyboard acoustic emanations to infer typed natural language passphrases via unsupervised learning, necessitating no previous training data. Whilst this work focuses on short passphrases, it is also applicable to longer messages, such as confidential emails, where the margin for error is much greater, than with passphrases, making the attack even more effective in such a setting. Unlike traditional attacks that require physical access to the target device, acoustic side-channel attacks can be executed within the vicinity, without the user's knowledge, offering a worthwhile avenue for malicious actors. Our findings replicate and extend previous work, confirming that cross-correlation audio preprocessing outperforms methods like mel-frequency-cepstral coefficients and fast-fourier transforms in keystroke clustering. Moreover, we show that partial passphrase recovery through clustering and a dictionary attack can enable faster than brute-force attacks, further emphasizing the risks posed by this attack vector.

Paper Structure

This paper contains 19 sections, 1 equation, 9 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Supervised Approaches
  4. Unsupervised Approaches
  5. Typing Mannerisms
  6. Selected Features
  7. Generating Natural Language Passwords
  8. Text Recovery
  9. Finding Words
  10. Inter-Element Relationship Matrix
  11. Joint Demodulation
  12. Experiments
  13. Hyperparameter Search
  14. Recovering Passphrase Recordings
  15. Brute-Forcing Combinations of Different Recoveries
  16. ...and 4 more sections

Figures (9)

  • Figure 1: Example of a login screen, where the target types their passphrase to login
  • Figure 2: Example of two words, with the same inter-element relationship matrix, although their letters differ. The coloring is added to enable quick comparison of the symmetrical matrix.
  • Figure 3: Recovery results using ten clusters.
  • Figure 4: Recoveries brute-forcing combinations of partial recoveries from ten clusters.
  • Figure 5: Amount of combinations of demodulated words from ten cluster results. The table shows the exponents to the base of 2.
  • ...and 4 more figures