August 21, 2023 08:30 am | Updated 08:30 am IST

The story so far:

In August, a research paper titled “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards”, published and supported by the ethics committee of Durham University, U.K., revealed that Artificial Intelligence (AI) can be used to decode passwords by analysing the sound produced by keystrokes. The study highlighted the accuracy of Acoustic Side Channel Attacks (ASCA) when state-of-the-art deep learning models were used to classify laptop keystrokes and their mitigation. While ASCA is not new, the development of AI and deep learning has increased the risks posed by side channel attacks.

What are ASCA?

To understand Acoustic Side Channel Attacks, one should know Side Channel Attacks (SCAs). SCAs are a method of hacking a cryptographic algorithm based on the analysis of auxiliary systems used in the encryption method. These can be performed using a collection of signals emitted by devices, including electromagnetic waves, power consumption, mobile sensors as well as sound from keyboards and printers to target devices. Once collected, these signals are used to interpret signals that can be then used to compromise the security of a device.

In an ASCA, the sound of clicks generated by a keyboard is used to analyse keystrokes and interpret what is being typed to leak sensitive information. These attacks are particularly dangerous as the acoustic sounds from a keyboard are not only readily available but also because their misuse is underestimated by users. While most users hide their screens when typing sensitive information, no precautionary steps are taken to hide the sound of the keystrokes. And though over time, the sound of keyboard clicks has become less profound with devices making use of non-mechanical keyboards, the technology with which the acoustics can be accessed and processed has also improved drastically.

Additionally, the use of laptops has increased the scope of ASCAs as laptop models have the same keyboard making it easier for AI-enabled deep learning models to pick up and interpret the acoustics.

How accurate are Acoustic Side Channel Attacks?

The research conducted by a group of scientists from Cornell University, Durham University, University of Surrey, and the Royal Holloway University of London investigated the use of audio recordings taken from Zoom video conferencing calls, smartphone microphones, and off-the-shelf equipment and algorithms to launch ASCA attacks. The study found that when trained on keystrokes by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model.

When a deep learning model was trained on the data with default values, the model was able to acquire a meaningful interpretation of the data. On a MacBook Pro, which features a keyboard identical in switch design to Apple’s models from the last two years, the model was able to achieve state-of-the-art accuracy with minimal training data.

Additionally, when the AI model was made to recognise keystrokes using audio captured through a smartphone microphone, it was able to achieve 95% accuracy. However, accuracy dropped to 93% when Zoom calls were used.

Are such attacks new?

ASCA attacks are not new and have been around since 1950 when acoustic emanations of encryption devices were used to crack their security. Additionally, the United States National Security Agency (NSA) declassified documents listed acoustic emanations as a source of compromise in 1982. Over the past decades, researchers have published papers talking about the threats from ASCA attacks with the advent of modern technology that brought more microphones in close proximity to keyboards, making it easier to collect and interpret acoustic data.

However, with the increasing use of AI and the accuracy with which deep learning models can recognise and analyse keystrokes, the threat from ASCA has resurfaced. Especially since users may not take ample precautions while typing in sensitive information including banking data and password on their laptops in public spaces like coffee shops, airports, and cafes.

How can users protect against ASCAs?

While there is no explicit means of defence against ASCAs, simple changes to typing could reduce the chances of attacks. Using touch-based typing can also reduce the chances of successful keystroke recognition from 64% to 40%, making it more difficult for threat actors to leak sensitive information.

Additionally, changes in typing style and creating stronger passwords that use a combination of upper- and lower-case alphabets can make it more difficult for criminals to launch successful ASCA attacks; the study found that even deep learning models had a difficult time recognising the use of shift key to change the case of alphabets when typing. Users should also avoid the use of easily recognisable phrases which can make it easier for AI models to predict the text.