BrokenStrokes: on the (in)security of wireless keyboards

Wireless devices resorting to event-triggered communications have been proved to suffer critical privacy issues, due to the intrinsic leakage associated with radio-frequency (RF) emissions. In this paper, we move the attack frontier forward by proposing BrokenStrokes: an inexpensive, easy to implement, efficient, and effective attack able to detect the typing of a pre-defined keyword by only eavesdropping the communication channel used by the wireless keyboard. BrokenStrokes proves itself to be a particularly dreadful attack: it achieves its goal when the eavesdropping antenna is up to 15 meters from the target keyboard, regardless of the encryption scheme, the communication protocol, the presence of radio noise, and the presence of physical obstacles. While we detail the attack in three current scenarios and discuss its striking performance---its success probability exceeds 90%6 in normal operating conditions---, we also provide some suggestions on how to mitigate it. The data utilized in this paper have been released as open-source to allow practitioners, industries, and academia to verify our claims and use them as a basis for further developments.

[1]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[2]  Jan-Michael Frahm,et al.  Seeing double: reconstructing obscured typed input from repeated compromising reflections , 2013, CCS.

[3]  Ying-Wen Bai,et al.  An improved design of a wireless keyboard powered by solar cells and a large capacitor , 2008 .

[4]  Stefan Mangard,et al.  KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks , 2017, ArXiv.

[5]  Rui Zhang,et al.  VISIBLE: Video-Assisted Keystroke Inference from Tablet Backside Motion , 2016, NDSS.

[6]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[7]  John V. Monaco SoK: Keylogging Side Channels , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[8]  Bo Chen,et al.  Tracking Keystrokes Using Wireless Signals , 2015, MobiSys.

[9]  Behnam Dezfouli,et al.  Software-defined Radios: Architecture, State-of-the-art, and Challenges , 2018, Comput. Commun..

[10]  Srdjan Capkun,et al.  I Send, Therefore I Leak: Information Leakage in Low-Power Wide Area Networks , 2018, WISEC.

[11]  Guoliang Xing,et al.  A Practical Bluetooth Traffic Sniffing System: Design, Implementation, and Countermeasure , 2019, IEEE/ACM Transactions on Networking.

[12]  Eric Blossom,et al.  GNU radio: tools for exploring the radio frequency spectrum , 2004 .

[13]  Frédo Durand,et al.  Capturing the human figure through a wall , 2015, ACM Trans. Graph..

[14]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[15]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[16]  Cong Xiong,et al.  Energy-efficient wireless communications: tutorial, survey, and open issues , 2011, IEEE Wireless Communications.

[17]  He Wang,et al.  MoLe: Motion Leaks through Smartwatch Sensors , 2015, MobiCom.

[18]  Nitesh Saxena,et al.  Keyboard acoustic side channel attacks: exploring realistic and security-sensitive scenarios , 2014, International Journal of Information Security.

[19]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[20]  KatabiDina,et al.  See through walls with WiFi , 2013 .

[21]  Arthur van Roermund,et al.  System-Level and Architectural Trade-offs , 2011 .

[22]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2005, CCS '05.

[23]  Geoffrey Ye Li,et al.  A survey of energy-efficient wireless communications , 2013, IEEE Communications Surveys & Tutorials.

[24]  Yao Liu,et al.  No Training Hurdles: Fast Training-Agnostic Attacks to Infer Your Typing , 2018, CCS.

[25]  Stefan Mangard,et al.  Practical Keystroke Timing Attacks in Sandboxed JavaScript , 2017, ESORICS.

[26]  Mauro Conti,et al.  SILK-TV: Secret Information Leakage from Keystroke Timing Videos , 2018, ESORICS.

[27]  Wei Wang,et al.  Recognizing Keystrokes Using WiFi Devices , 2017, IEEE Journal on Selected Areas in Communications.

[28]  Mauro Conti,et al.  Don't Skype & Type!: Acoustic Eavesdropping in Voice-Over-IP , 2016, AsiaCCS.

[29]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[30]  Jie Yang,et al.  Snooping Keystrokes with mm-level Audio Ranging on a Single Phone , 2015, MobiCom.

[31]  Lajos Hanzo,et al.  A Survey on Wireless Security: Technical Challenges, Recent Advances, and Future Trends , 2015, Proceedings of the IEEE.

[32]  Pepe Vila,et al.  Loophole: Timing Attacks on Shared Event Loops in Chrome , 2017, USENIX Security Symposium.

[33]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[34]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[35]  Yan Wang,et al.  Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN , 2016, AsiaCCS.

[36]  Anindya Maiti,et al.  Smartwatch-Based Keystroke Inference Attacks and Context-Aware Protection Mechanisms , 2016, AsiaCCS.

[37]  Octavian Fratu,et al.  Wireless Keyboards Communication Interception - The Balance Between Convenience and Security , 2018, 2018 International Conference on Communications (COMM).

[38]  Jonathan T. Trostle,et al.  Timing attacks against trusted path , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[39]  Gianmarco Baldini,et al.  Security Aspects in Software Defined Radio and Cognitive Radio Networks: A Survey and A Way Ahead , 2012, IEEE Communications Surveys & Tutorials.

[40]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[41]  Stefan Mangard,et al.  DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks , 2015, USENIX Security Symposium.

[42]  Patrick Traynor,et al.  (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers , 2011, CCS '11.

[43]  Jan-Michael Frahm,et al.  iSpy: automatic reconstruction of typed input from compromising reflections , 2011, CCS '11.

[44]  Xiangyang Li,et al.  ViViSnoop: Someone is snooping your typing without seeing it! , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[45]  Yacine Challal,et al.  Energy efficiency in wireless sensor networks: A top-down survey , 2014, Comput. Networks.

[46]  Yunhao Liu,et al.  Context-free Attacks Using Keyboard Acoustic Emanations , 2014, CCS.

[47]  Fadel Adib,et al.  See through walls with WiFi! , 2013, SIGCOMM.

[48]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[49]  Wei Wang,et al.  Keystroke Recognition Using WiFi Signals , 2015, MobiCom.