We’ve all been there; working diligently in the office, engaged in a Voice Over Internet Protocol (VoIP) call such as Skype, but still powering through our computer tasks at the same time. It’s this kind of multitasking that keeps us productive and efficient. However, according to recent research, this kind of activity may have unintended consequences on our privacy and digital security.
Researchers Alberto Compagno of the University of Rome, Mauro Conti and Daniele Lain of the University of Padua, and Gene Tsudik from the University of California Irvine have published a study titled “Don’t Skype & Type! Acoustic Eavesdropping in Voice-Over-IP.” In their paper, they introduce Skype & Type (S&T), a novel and disturbingly effective keyboard acoustic eavesdropping attack specific to VoIP systems. The researchers found that through this method, an attacker could guess correctly a random key pressed by the victim with a top-5 accuracy of 91.7%. The accuracy reduces but remains a considerable 41.89% even when the attacker doesn’t know the victim’s typing style or keyboard. Furthermore, this method holds robust under different VoIP issues, including internet bandwidth fluctuations and the masking effect of voices over keystrokes.
In an interview with Threatpost, Tsudik noted that the potentially widespread application of this attack sets it apart from previous skirmishes which required the adversary to have physical proximity to the target, detailed knowledge of their typing style and keyboard, and access to the typing sounds and their corresponding information.
Why is this new style of attack so effective? The answer lies in the unique sounds our keyboards make. The sounds emitted when typing, much like the distinct sounds from a piano’s keys, can be analysed by hackers to eavesdrop on our conversations. The most widely-used VoIP protocol, Session Initiation Protocol (SIP), transmits data, including these sounds, via the internet. This introduces a greater susceptibility to packet sniffing, a longstanding challenge in VoIP networks, and significantly raises the chance that keyboard sounds could be used to violate privacy.
The study indicates that hackers do face some limitations. For instance, a seasoned typist at the keyboard or multiple parties typing simultaneously on a call could confuse the eavesdropper. However, given how quickly threats evolve and the sheer number of computer or smartphone users that are only moderate typists, this hurdle for intruders is likely temporary.
All these factors point to a sobering possibility. The simple act of sending sensitive information, such as banking details, over a VoIP session could lead to our information being potentially hijacked and misused.
The researchers focused mainly on Skype during their study, but have started probing other platforms like Google Hangouts, under the premise that its susceptibility to S&T attacks may be similar to that of Skype. I believe evaluating the security of the popular messaging app WhatsApp, which also uses VoIP technology, would be insightful. WhatsApp had rolled out end-to-end encryption technology this year, securing all communication from source to destination. Following this, only one Israeli company claims to have broken WhatsApp’s security, a statement that has drawn skepticism from cybersecurity experts.
Establishing whether a hacker could in fact infiltrate WhatsApp’s reputedly impenetrable encryption would undoubtedly further our understanding of VoIP vulnerabilities.
A crucial discovery in this research was the attack’s dependency on bandwidth. In instances of low Internet bandwidth, VoIP software reduces the audible bandwidth, which surprisingly makes it easier for hackers to decipher keyboard background sounds. This holds implications on how we perceive cybersecurity threats, highlighting the fact that our infrastructure may unintentionally assist potential attackers.
In conclusion, I want to emphasize that the simplest way to reduce your risk of falling victim to this type of attack is to refrain from typing sensitive information during Skype or other VoIP calls. As the research points out, countermeasures against this threat are tough to develop, reinforcing the need for increased user awareness and caution.
This article was updated in 2025 to reflect modern realities.
.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
