The sound of you typing on a keyboard could be not just annoying to those in the same room with you – it could actually be revealing as to what you are writing. And the ones listening to it could not even be in the same room.
In the so-called Skype & Type (S&T) attacks, adversaries can use machine learning techniques to identify the sound of pressing a specific keyboard button and then reassemble text from the clicking sounds you’ve made when typing during a voice over IP (VoIP) call. According to a recently published study, doing this turns out to be easier, and more accurate than previously thought.
The precision of the technique is surprising – 91.7% accuracy if the attackers have some information about the typist’s style and model of keyboard; 41.9% if they have none. Even more so – the study shows that such attacks could be successful regardless of things like ambient sound and connection problems that hamper your actual call.
How worried should you be about S&T attacks?
Passwords are one particular type of sensible information such attacks could be focused on. Usually a strong password is one that cannot be guessed – like a seemingly random sequence of characters and numbers. S&T attacks are a way around this because they leave the subject of the attack to type the password themselves.
Skype is reportedly used by some 74 million people, and is the preferred means for online communication for a third of small businesses in particular. And the thing about business communication is that it is not exactly benevolent – the two parties involved may not necessarily share mutual trust or have each other’s best interest in mind.
For example, imagine a call between two law firms representing the opposite sides in a legal case. It makes sense for one party to be after the other’s secrets.
How can you counter keyboard eavesdropping?
Th researcher’s recommended countermeasure is simply not to type during calls – or at least not to type in sensitive information. And yes, self-restraint is the best way to avoid not just this type of attacks. But it doesn’t hurt to have some technology on your side either.
First, this type of attack is among the rare cases where using a mobile device is actually the more secure option. It’s laptop and desktop keyboards with actual keys that make the sounds that can later be then deciphered into text. The touchscreens of smartphones and tablets don’t.
And then, you should use the right app. The study singles out Skype, which doesn’t employ end-to-end encryption. But it is not the only popular VoIP app guilty of that. What you can do, is use a client that allows the two parties to establish an encrypted connection for their call and has a built-in man-in-the-middle (MITM) attack detector. The latter alerts you if someone is trying to intercept the call.