Snooping Keystrokes with mm-level Audio Ranging on a Single Phone

This paper explores the limits of audio ranging on mobile devices in the context of a keystroke snooping scenario. Acoustic keystroke snooping is challenging because it requires distinguishing and labeling sounds generated by tens of keys in very close proximity. Existing work on acoustic keystroke recognition relies on training with labeled data, linguistic context, or multiple phones placed around a keyboard --- requirements that limit usefulness in an adversarial context. In this work, we show that mobile audio hardware advances can be exploited to discriminate mm-level position differences and that this makes it feasible to locate the origin of keystrokes from only a single phone behind the keyboard. The technique clusters keystrokes using time-difference of arrival measurements as well as acoustic features to identify multiple strokes of the same key. It then computes the origin of these sounds precise enough to identify and label each key. By locating keystrokes this technique avoids the need for labeled training data or linguistic context. Experiments with three types of keyboards and off-the-shelf smartphones demonstrate scenarios where our system can recover $94\%$ of keystrokes, which to our knowledge, is the first single-device technique that enables acoustic snooping of passwords.

[1]  Peter A. Dinda,et al.  Indoor localization without infrastructure using the acoustic background spectrum , 2011, MobiSys '11.

[2]  Zheng Yang,et al.  High-Accuracy TDOA-Based Localization without Time Synchronization , 2013, IEEE Transactions on Parallel and Distributed Systems.

[3]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  Y. Obuchi,et al.  Mixture weight optimization for dual-microphone MFCC combination , 2005, IEEE Workshop on Automatic Speech Recognition and Understanding, 2005..

[5]  Bayya Yegnanarayana,et al.  Combining evidence from residual phase and MFCC features for speaker recognition , 2006, IEEE Signal Processing Letters.

[6]  Xinyu Zhang,et al.  Ubiquitous keyboard for small mobile devices: harnessing multipath fading for fine-grained keystroke localization , 2014, MobiSys.

[7]  D. Sheskin The Pearson Product-Moment Correlation Coefficient , 2003 .

[8]  Romit Roy Choudhury,et al.  Did you see Bob?: human localization using mobile phones , 2010, MobiCom.

[9]  Tamer Nadeem,et al.  RF-Beep: A light ranging scheme for smart devices , 2013, 2013 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[10]  Patrick Traynor,et al.  (sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers , 2011, CCS '11.

[11]  Yi Guo,et al.  Robot-assisted human indoor localization using the Kinect sensor and smartphones , 2014, 2014 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[12]  David J. C. MacKay,et al.  Information Theory, Inference, and Learning Algorithms , 2004, IEEE Transactions on Information Theory.

[13]  Andrew Wilson,et al.  Phone as a pixel: enabling ad-hoc, large-scale displays using mobile devices , 2012, CHI.

[14]  Jie Yang,et al.  Push the limit of WiFi based localization for smartphones , 2012, Mobicom '12.

[15]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[16]  Haizhou Li,et al.  An overview of text-independent speaker recognition: From features to supervectors , 2010, Speech Commun..

[17]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[18]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[19]  Richard P. Martin,et al.  Detecting driver phone use leveraging car speakers , 2011, MobiCom.

[20]  Guobin Shen,et al.  BeepBeep: a high accuracy acoustic ranging system using COTS mobile devices , 2007, SenSys '07.

[21]  Yunhao Liu,et al.  Context-free Attacks Using Keyboard Acoustic Emanations , 2014, CCS.

[22]  David Chu,et al.  SwordFight: enabling a new class of phone-to-phone action games on commodity phones , 2012, MobiSys '12.

[23]  Yunhao Liu,et al.  Shake and walk: Acoustic direction finding and fine-grained indoor localization using smartphones , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[24]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2005, CCS '05.

[25]  David Chu,et al.  On the feasibility of real-time phone-to-phone 3D localization , 2011, SenSys.

[26]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[27]  Xiaolin Li,et al.  Guoguo: enabling fine-grained indoor localization via smartphone , 2013, MobiSys '13.