Zoom: Can Scammers Detect Your Keynotes?
While we're careful about entering our PINs discreetly at ATMs and diligently secure our passwords, how often do we consider the possibility that cybercriminals could decipher them just by observing our typing habits on our own laptop?
The advent of countless gadgets and online services undoubtedly brings comfort and productivity to our lives. But with benefits come drawbacks: the ubiquitous presence of microphones may now pose a considerable threat to our confidential data's safety. This vulnerability is highlighted by the rise in acoustic side-channel attacks where intruders discern information typed on keyboards.
Such exploitation was replicated in a study by researchers from Durham University, the University of Surrey, and Royal Holloway (University of London) - specifically, Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad. They employed a deep learning model to determine laptop keystrokes by listening in via a smartphone's built-in microphone during a Zoom call. Their revealing research titled "Practical Acoustic Side-Channel Attack Based on Deep Learning on Keyboards" has been published on the open-source platform for academic papers, arXiv.org.
Understanding Side-Channel Attacks
A side-channel attack (SCA) focuses on collecting and interpreting signals emitted by a device. It aims to detect vulnerabilities in an operating system using electromagnetic emissions, power draw, mobile sensors, or sounds.
Such attacks can target a wide array of devices, from the historical "Enigma" machine and common printers to modern Intel x86 processors. Yet, contemporary cybercriminals show an acute interest in the everyday keyboard and the sounds produced by its keys. While typing sensitive data, users may shield their screens from onlookers but often overlook the potential risks of their keyboards' auditory cues. And it's noteworthy to mention that technologies capable of discerning and interpreting these sounds have existed for quite a while.
Laptops are frequently used in public spaces like libraries, cafes, and co-working spots. They often have standardized keyboards within a given model range, making them particularly attractive to cybercriminals. Once a specific model is compromised, every owner of that laptop could be at risk.
The Experiment's Blueprint
The researchers selected the widely-used MacBook Pro (2021) with 16GB of memory powered by the Apple M1 Pro chip for their experiment. Notably, this model's keyboard design has remained consistent with its predecessors over the past two years, reducing the likelihood of significant changes in the near future.
The sound of keystrokes was captured in two distinct ways: via a smartphone and through a Zoom video conference.
- For the smartphone recording, an iPhone 13 mini was positioned 17 cm from the laptop's left edge. The phone was set on a microfiber cloth to mitigate any table vibrations and ensure that only the sounds of the keystrokes were recorded.
- When recording through Zoom, the MacBook's built-in microphone was employed, with the app's noise cancellation feature dialed down to its lowest setting.
Results were compelling. Using the smartphone yielded a 95% accuracy in keystroke detection, while Zoom recordings came close at 93%. Clearly, side-channel attacks present a significant threat.
So what's the best line of defense against cybercriminals potentially knowing your every keystroke with near-perfect accuracy? While a tin foil hat might not do the trick, adapting your typing style and enhancing your privacy settings could make a difference. Researchers suggest using biometric authentication methods, employing randomly generated passwords with varying letter cases, adopting touch typing methods, and sprinkling in decoy keystrokes.
