Passwords in the Air – Gautam Hazari

Imagine, you are sitting in a café, sipping the skilfully crafted coffee by the barista, with the laptop placed on the table in front.

You open the screen and look around to see if no one is around “shoulder surfing”, and then you open your email, type in the user ID and the password on the keyboard and access your email.

You didn’t notice that a few tables behind, there is someone looking at their phone as the phone is kept on the table, and why would you care?

A few minutes later, you close your screen and focus back on the coffee, don’t want it to get cold. Something happened while between sips; someone is accessing your email, or someone is initiating a password reset for your banking account, or social media account.

An account takeover is in action.

How did this happen?  No, this was not someone accessing the laptop or sniffing into the Wi-Fi connection.

Remember that person a few tables behind looking at their phone? The microphone in that person’s phone was “listening” to the keystrokes of your keyboard, and passing those to a trained deep-learning model which then revealed the password you typed.

This is SCA, no not Strong Customer Authentication – actually an anti-thesis of that – this is a Side Channel Attack, an acoustic side-channel attack, as published by researchers from Durham University, University of Surrey and Royal Holloway University of London in a paper titled: “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards”, on the August 3rd, 2023.

A Side Channel Attack is when signals from a device, of any form are collected and interpreted to extract secrets.

The signals can be electromagnetic waves, power consumption to sound waves.

The interesting thing about side-channel attacks is that it does not need connectivity or any direct access to the device. The acoustic SCA uses the sound waves from the device, in the above case – the sound of the keyboard strokes.

The researchers from the universities in London, recorded the sound of 36 keys of a laptop (0-9, A-Z), with each key pressed 25 times, with varying pressure and using different fingers. This is then used to extract and isolate the individual keystrokes (using the fast Fourier transform).

Source: arxiv.org

After some additional procedures of feature extraction and data augmentation, this is then used to train a deep-learning model – CoAtNet. CoAtNet has been proven to be excellent in performance for the image classification for the ImageNet dataset.

The result is a 95% accuracy in identifying the keys pressed and through that – extracting passwords.

It doesn’t just stop there, the person doesn’t need to be sitting in that café a few tables behind, the same attack can be carried out remotely by listening through Zoom calls with 93% accuracy.

Listening to the passwords can even be performed through our own mobile phone through an infested application with access to the microphone.

It goes even further, with the IoTh – the “Internet of Thoughts”, the signals used in the side channel attacks can even include the “brain signals”. So, even just thinking of the password could allow the attackers to steal it. That’s in another write-up in the future.

How do we protect ourselves? How do we solve this? The only way to solve this is to stop using passwords! And yes, there are solutions available to do this.

We do not need to use passwords when making a mobile phone call or while receiving a call.

This is done using the cryptography in the SIM and has been there for the last three decades. This is what the Sekura.id SAFr Auth product utilises, balancing convenience and security and making the world SAFr and passwordless.

We at Sekura.id are passionately building a SAFr world, join us in making the world password-free.

Sekura.id works with the industry’s leading Identity vendors. Be part of our exclusive partner network and add best-in-class mobile identity services to your portfolio.

Already on six continents, we’re on a mission to provide truly global mobile identity coverage, Unlock your mobile network’s potential by working with Sekura.id.