We all do this most of the time especially while in the office. Don’t you get that Voice over internet Protocol (VoIP) no matter how annoying the call may be but still don’t want to stop working? Well that’s why I said we have all done this at some point. Well while this kind of multitasking may be good for productivity, its actually bad for privacy/security.
In a research paper titled “Don’t Skype & Type! Acoustic Eavesdropping in Voice-Over-IP,” published by Alberto Compagno of the University of Rome, Mauro Conti and Daniele Lain of the University of Padua, and Gene Tsudik of the University of California Irvine, they looked at a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). They came to find out that the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.
Speaking to security website Threatpost, Tsudik said that previous similar attacks require an adversary to be physically close to the target, precisely profile their typing style and physical keyboard model, and have access to typed information and corresponding sounds. All of this adds up to a generally impractical attack, unlike the one described in the paper.
The key thing here though is that the most of our keyboards produce sounds and these sounds are distinct like hitting the keys of a piano for example. These sounds from different keys on the keyboard is then used by hackers to get on a victim’s device and can easily steal information in an active session. The most popular VoIP protocol used in a VoIP session is SIP which stands for session initiation protocol and this is all transmitted over the internet. Packet sniffing has always been a challenge in VoIP networks but the revelation that even your keyboard sounds could be used to eavesdrop on your conversations is a new one in a list of SIP vulnerabilities.
There is a limit to how far hackers can go according to the publication. There is the challenge for example if a skilled typist were at the keyboard, or multiple parties on a call typing at the same time. While may be a challenge at the moment to a hacker, it’s only a matter of time before this threat would evolve to accommodate skilled typing and by the way, the percentage of computer or smartphone users who are able to type fast is not that high.
So the possibility here is that each time we send sensitive information like bank details over a VoIP session like Skype or any other service for that matter, we risk this information being stolen.
While Skype was the main software used in this research the researchers acknowledged that they have started looking into Google Hangouts (even though they already believe it will also turn out just as the Skype test) as well but I think it’ll be interesting to test using WhatsApp too. As you might recall, the messaging app introduced voice calls using the VoIP technology and earlier this year introduced end-to-end encryption technology to protect all communication from origin to destination. Since then only one Israeli firm has claimed to be able to break WhatsApp’s security even though security experts have their doubts about this.
So it would be interesting to know just how a hacker may be able to break the WhatsApp encryption.
One other interesting thing I thought stood out in the research was how this threat was bandwidth dependent. So they were able to show showed how an attack is robust to bandwidth reduction which means when audible bandwidth reduction operated by VoIP software in presence of low Internet bandwidth is factored in, it becomes easier to sniff the keyboard background sounds.
In conclusion though, the best way to prevent this is not to type sensitive stuff over a Skype conversation because as the research points out, this threat is hard to counter.