Security Alerts & News
by Tymoteusz A. Góral

History
#1645 Don’t Skype and Type! Acoustic eavesdropping in VOIP (PDF)
Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary’s physical proximity to the victim, (ii) precise profiling of the victim’s typing style and keyboard, and/or (iii) significant amount of victim’s typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.
Read more
#1645 Don’t Skype and Type! Acoustic eavesdropping in VOIP (PDF)
#1644 The Dyn report: What we know so far about the world's biggest DDoS attack
#1643 Remote code execution vulnerabilities plague LibTIFF library
#1642 Lawmakers asking what ISPs can do about DDoS attacks
#1641 Paypal fixes 'worrying' security bug
#1640 Windows Atom tables can be abused for code injection attacks
#1639 Microsoft Office malware: Now more users get anti-hacker, macro-blocking features
#1638 Flash Player zero-day being exploited in targeted attacks
#1637 Joomla update fixes two critical issues, 2FA error
#1636 Dyn DDoS could have topped 1 Tbps
#1635 Cisco patches critical vulnerability in facility events response system
#1634 Could your 'smart' home be a weapon of web destruction?
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12