Side channel attacks are commonly associated with the observation of physical parameters of electronic systems to obtain useful information to breach system security. Typical parameters that can yield interesting results include timing information, power consumption, and electromagnetic leaks.
Sound emitted by computers and machines can also serve as a useful source of information: intelligence services know this well, as they were able to reconstruct printed text from the acoustic recordings of foreign government teletypewriters 50 years ago [1].
Halevi and Saxena discuss a different kind of eavesdropping, the exploitation of acoustic side channels in computer keyboards, to reconstruct what a human is typing. The feasibility and exploitation of this type of technique have clear security relevance when the text that is being typed is the access password to a computer system.
The study focuses on the eavesdropping of random passwords using raw recorded audio files and the application of a mix of techniques such as signal processing, a novel time-frequency decoding technique, as well as the analysis of the typing style, which was largely ignored by earlier publications.
The threat model is carefully described, detailing assumptions and prerequisites, as is the technical setup, together with various detection techniques. Performance considerations are drawn as a function of different typing styles and of the type of target keyboard, where the acoustic behavior of a standard keyboard is different from a laptop keyboard. Results indicate that success rates of to 64 percent per typed character can be achieved, making acoustic side channel attacks a step closer to a full-fledged vulnerability.
This is an interesting read for security professionals who want to broaden their perspective of unconventional threat scenarios, as well as for researchers and experimenters who will appreciate the theoretical and practical aspects of the challenge.
Security practitioners will be specifically reminded of the fact that the devil is in the detail. There is no point in designing an excellent cryptographic algorithm or secure computer system if the secret that is used to protect access to the information can be acquired with relative ease by attackers just listening to apparently innocuous information.