Identification of pressed keys by time difference of arrivals of mechanical vibrations

We identify the pressed keys of commercial PIN-pads by monitoring the arrival times of mechanical vibrations.We correctly classify the pressed key with 96.4% of accuracy.The certification processes does not address this new side-channel attack.We explain what are the design flaws responsible for this vulnerability. The possibility of finding the sequence of pressed keys in a mechanical keyboard is a serious security threat. In our previous work, we have shown that it is possible to identify, with high probability, the pressed key by analyzing the vibration generated by the keystrokes. At that time, we did not know the physical phenomenon responsible for leaking information as mechanical vibration. In this paper, we show that the TDOA (Time Difference of Arrivals) of the mechanical waves is the main culprit for leaking information. To demonstrate this hypothesis, we glued three accelerometers in a PIN-pad, collected the vibrations generated by the keystrokes and computed the relative delays of vibration arrival times in pairs of accelerometers. We show that it is possible to estimate the positions of the keys through simple difference of the delays. A simple classification scheme using the delays yielded 96.4% of recognition success rate. The same technique can be used to attack devices with touch-sensitive screen, identifying the region touched.

[1]  Nitesh Saxena,et al.  A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques , 2012, ASIACCS '12.

[2]  Albert Tarantola,et al.  Inverse problem theory - and methods for model parameter estimation , 2004 .

[3]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2009 .

[4]  Fredrik Gustafsson,et al.  Positioning using time-difference of arrival measurements , 2003, 2003 IEEE International Conference on Acoustics, Speech, and Signal Processing, 2003. Proceedings. (ICASSP '03)..

[5]  Daniel Straub,et al.  Toward a probabilistic acoustic emission source location algorithm: A Bayesian approach , 2012 .

[6]  Mao Chen Ge,et al.  ANALYSIS OF SOURCE LOCATION ALGORITHMS Part II: Iterative methods , 2003 .

[7]  Hae Yong Kim,et al.  Identification of Pressed Keys From Mechanical Vibrations , 2013, IEEE Transactions on Information Forensics and Security.

[8]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9]  Patrick Traynor,et al.  (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers , 2011, CCS '11.

[10]  D. E. Manolakis,et al.  Efficient solution and performance analysis of 3-D position estimation by trilateration , 1996 .

[11]  Mao Chen Ge Analysis of Source Location Algorithms Part I: Overview and Non-Iterative Methods , 2003 .

[12]  F. H. Jackson,et al.  Analytical Methods in Vibrations , 1967 .

[13]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[14]  Gerson de Souza Faria Identificação das teclas digitadas a partir da vibração mecânica. , 2012 .

[15]  K. C. Ho,et al.  Solution and performance analysis of geolocation by TDOA , 1993 .

[16]  Andy W. H. Khong,et al.  Source localization on solids using Kullback-Leibler discrimination information , 2011, 2011 8th International Conference on Information, Communications & Signal Processing.

[17]  H. Georgi,et al.  The Physics of Waves , 1992 .