Value privacy? Don’t type and Skype.

Stethoscope on laptop keyboard

The headline of this post may seem alarmist, but according to researchers at the University of California, Irvine and in Italy, privacy conscious Skype users might have a reason to be concerned. On September 29, a team of computer scientists published their findings on a unique security breach involving VoIP and keystroke analysis.

In a new study, titled “Don’t Skype & Type! Acoustic Eavesdropping in Voice-Over-IP,” Gene Tsudik et al., have described (in great detail) a security breach, where an attacker is able to accurately decipher a Skype users’ keystroke pattern in order to accurately guess what’s being typed.

How does it work?

According to the data presented in the recent paper, Skype users may be vulnerable to a new type of surveillance. In order to paint a more vivid picture, imagine the following scenario:

You normally work at an office, but for some reason you’ve decided to spend the day working from home. That afternoon, your boss invites you to a conference call via Skype to discuss some boring accounts. While the conversation is taking place, you find yourself multitasking by doing some online banking, responding to emails, or whatever else you might be doing.

Tsudik’s paper suggests that if an attacker manages to listen in on your conversation, they can do a lot more than just eavesdrop. According to the study, it’s possible to deconstruct an audio recording of a Skype call by separating the audio of the conversation from keystroke sounds and other acoustic emanations.

Capturing acoustic signals from keyboards and typewriters for nefarious purposes isn’t anything new, but the methods laid out in this study take it to the next level. Tsudik explained that it’s possible to “build a profile of the acoustic emanation generated by each key on a given keyboard.”

The research also suggests that the more information you have – whether on the typing style of the subject, or the make and model of the keyboard that is being used – the more accurate the guess will be.

Tsudik et al. found that with advanced knowledge of the typist’s habits and some information about the keyboard, there is a 92% chance of correctly guessing each keystroke. In instances where the peepers had absolutely no idea about both the keyboard and the typing style, there was still a 41.89% chance of accurately guessing a key pressed by the subject.

What does this mean?

Though the process is quite complicated, the bottom line is this – if someone with the right know-how had the audio clip of the Skype call you had with your boss while doing some online banking, chances are – they’d be able to deconstruct the keystroke audio and figure out exactly what you were typing. In this case, attackers would have access to your bank login information, which could potentially be detrimental.

Granted, our example scenario might be a bit extreme, and although there’s a slim chance that some third party is listening in on your Skype calls, it’s quite unlikely. That being said, Tsudik warns of a number of more likely exploits.

Today, millions of people use Skype – not only to communicate with their friends, but also to carry out negotiations, close business deals, and everything in between. For that reason, mutual trust isn’t always a given. Just imagine a call between two diplomats representing different countries, or two lawyers on opposite sides of a legal dispute. If one of the sides had access to the skills and tools described in the paper, an unfair advantage could be gained relatively quickly.

What can I do?

If for some reason you insist on typing out sensitive information during your Skype sessions, you can benefit from switching to a touch-screen keyboard. According to the team of researchers, touch devices – especially smaller ones, are not susceptible to these attacks. If you’re living in a world where you have a laser projected (or holographic) keyboard on your desk, you not need to worry – those are also immune.

 

Leave a Reply

Your e-mail address will not be published. Required fields are marked *