Your Keyboard Might Be Betraying You: Acoustic Attacks & Passwordless Prevention

Despite remaining popular for decades, passwords have long been a critical weak spot in cybersecurity for many reasons. Password reuse is rampant. People opt for easy passwords so they don’t have to remember complicated strings of numbers, letters, and characters. And, even with the best password hygiene, your password can end up on a database on the dark web following a data breach.Whether or not you manage to avoid all of those pitfalls, there’s now a new issue with passwords – they’re vulnerable to sophisticated acoustic attacks.

Researchers from UK universities have trained a deep learning model to steal data from keyboard keystrokes using a microphone. And perhaps the scariest part? This model can capture keystrokes with 95% accuracy. This technology, in the wrong hands, has the potential to leak people’s passwords, private messages, or other sensitive information straight into the hands of cybercriminals.

Acoustic attacks pose a serious cybersecurity threat and are a stark reminder of why relying on the humble username and password is no longer enough to safeguard our systems. So, what’s the alternative? Enter certificate-based authentication – a promising solution to obsolete passwords and the burgeoning threat of acoustic attacks.

Acoustic Attacks – What You Need to Know

First, what exactly is an acoustic attack? Acoustic attacks are a type of side-channel attack that exploits the sounds emitted by computers or other devices. A side-channel attack is a technique that gains information from a system based on indirect clues, such as timing, power consumption, or even sound, rather than exploiting software vulnerabilities directly. In acoustic attacks, attackers analyze sounds to infer sensitive information, such as passwords, PINs, and other data.

Some examples of acoustic attacks include:

• Keystroke Analysis: Here, attackers use microphones to capture the distinct sounds of keystrokes. The rhythm and pattern can reveal passwords and other confidential inputs.
• Printer Surveillance: By recording the noises of a printer, attackers can interpret and reproduce the printed content.
• Circuit Eavesdropping: The hums and whirs of electronic circuits aren’t just noise. Skilled attackers can extract valuable data, like cryptographic keys, from these sounds.

Acoustic attacks have been around for many years, but they have become more sophisticated in recent years due to the advances in microphone technology and machine learning. In the past, acoustic attacks were often limited to specialized equipment and expertise. However, that’s all changing today – it won’t be long until anyone with a microphone and access to the right technology can execute an acoustic attack.

The Evolution of Acoustic Attacks

Although many see acoustic attacks as a new threat, they have been around longer than you might think. Or, at least, the proof of their viability has been around for almost two decades. For example, in 2004, Dmitri Asonov and Rakesh Agrawal of IBM Almaden Research Center published a paper on acoustic cryptanalysis, which showed that the sounds made by computer keyboards could be used to recover passwords. Other key developments followed in the years since.

And now the latest development – a deep learning model that can interpret keystroke sounds with 95% accuracy. Let’s get into it.

A New Acoustic Attack That’s 95% Accurate

A group of British researchers has unveiled a deep learning model with a startling capability: using a microphone, it can decipher what you’re typing on your keyboard with a stunning 95% accuracy.

For their study, the researchers tapped 36 different keys on a modern MacBook Pro – the kind used in every Apple laptop for the past two years. Each key was pressed 25 times, and its sound was distinctly captured. These recordings were transformed into waveforms and spectrograms, visual footprints that highlight the unique sound of each key.

Armed with these spectrogram images, the researchers trained ‘CoAtNet,’ an image classifier. Refining the model took some tinkering, adjusting factors like the learning rate and data splitting parameters. But once honed, the results were staggering.

The experiment involved an iPhone 13 mini positioned just 17cm away from the MacBook. The risk becomes all too apparent: in an era brimming with smart devices, our keystrokes, and thereby our data, could be under silent surveillance. As technology advances, safeguarding our digital interactions is more crucial than ever.

What Makes Acoustic Attacks Especially Worrying?

Historically, side-channel attacks have had limitations, often needing specific conditions to work. For example, let’s consider a different example of a side-channel attack: monitoring RAM power consumption.

Here, a hacker places a device near a computer’s RAM to measure its power consumption. By analyzing the fluctuations in power usage during encryption processes, the hacker can deduce the encryption keys being used, thus compromising the system’s security without directly tampering with the software or hardware.

However, while this attack can be successful with the proper setup, getting the proper setup isn’t always easy. This attack requires specific conditions for several reasons:

1. Proximity: The attacker needs to be physically close to the target computer to accurately measure power consumption, which can be challenging without arousing suspicion.
2. Equipment: Specialized equipment is necessary to monitor and analyze power fluctuations at the granular level needed to deduce encryption keys.
3. Noise: Other electronic devices or operations on the target computer can introduce ‘noise’ or random fluctuations, complicating the analysis.

And this is where acoustic attacks are much more dangerous. Acoustic attacks leverage sound, which is pervasive and can be captured from a distance using common devices like smartphones. With the ubiquity of microphones in modern devices and advancements in machine learning, deciphering sounds (like keystrokes) has become simpler. No specialized proximity or equipment is needed, making acoustic attacks more versatile and less dependent on strict conditions.

Do Sound-Dampening Keyboards Work To Combat Acoustic Attacks?

Not entirely. While sound-dampening keyboards may provide some level of protection, researchers in the study could still capture passwords even with such keyboards. Though these keyboards might make it more challenging for less sophisticated machine learning models to decipher keystrokes, they are not a foolproof solution against advanced acoustic attacks.

It’s Not Just Keyboards – Acoustic Side-Channel Attacks Work on Smartphones Too

Researchers have unveiled a new technique where smartphones can double up as sonar systems, effectively ‘listening’ to your finger’s movement on the screen and potentially revealing sensitive information.

This groundbreaking study from Lancaster and Linköping University showcased a unique way to capture the unlock patterns of Android phones, specifically the Samsung S4. Dubbed “SonarSnoop,” the system uses the phone’s speakers to emit acoustic signals while the microphones pick up reflections. Unlike traditional side-channel attacks, SonarSnoop actively generates acoustic signals rather than waiting for the victim.

The emitted signal is usually between 18-20kHz, rendering it inaudible to most human ears. This means users are utterly oblivious to this covert operation. When a finger glides over the screen, it alters the timing of the returning echoes, which the system then translates into movement patterns.

Once these signals are captured, they’re processed, accounting for the position of the phone’s microphones and filtering out any interference. The data, once processed, can then be interpreted to uncover the unlock pattern. In their tests involving 12 unlock patterns and ten volunteers, the researchers fed the data into a machine-learning model, which successfully identified strokes and patterns. While it may not always produce an exact pattern, the SonarSnoop narrowed down the possibilities significantly, in some cases even revealing the correct pattern.

However, the technique isn’t perfect. The study highlights some limitations, like its adaptability for different interaction speeds and phone models. Yet, the study’s success lays the foundation for future refinements and has far-reaching implications.

Imagine an app masquerading as a voice-control tool or sound effects provider equipped with the SonarSnoop framework. This app could track your movements and send this data back to a malicious actor. Admittedly, the potential for tracking passwords, messages, or other sensitive inputs is alarming to many.

Numerous Concerns Arise:

Will Acoustic Attacks Become a Common Attack Method?

As devices with microphones become ubiquitous and machine learning technologies advance, the potential for acoustic attacks grows. However, their popularity as an attack method will also depend on the countermeasures developed and how widespread the awareness of such threats becomes.

Moreover, with the rise of Cybercrime-as-a-Service (CaaS), even fledgling hackers will be able to access sophisticated tools. In the past, hackers would have to develop the tools themselves, which presented a significant barrier for those not particularly tech-savvy. To create an effective machine learning model for an acoustic attack, the cybercriminal would need extensive knowledge about ML systems and the data to feed the model. But with CaaS, a more experienced hacker can create the software and sell it to novice hackers for a fee.

Should Businesses Be Concerned About Acoustic Side Channel Attacks During Conference Calls or Virtual Meetings?

Yes, especially if sensitive information is being discussed. During important calls, companies should consider secure environments, encrypted communication tools, and sound masking technologies.

How Can Individuals Protect Themselves From Potential Acoustic Attacks?

One can take steps like ensuring the physical security of their devices, being cautious of granting microphone permissions to unknown apps, regularly checking for software updates, and using sound-masking technologies or white noise generators.

Are Certain Devices More Vulnerable to Acoustic Attacks Than Others?

Devices with high-quality microphones and less effective sound shielding may be more susceptible. However, the software, user behavior, and environment play a crucial role in a device’s vulnerability.

Can Acoustic Side Channel Attacks Capture More Than Just Keystrokes or Screen Patterns?

Potentially, yes. Any action that produces a distinct sound or vibration pattern could be a target. This might include tapping on a touchscreen, interacting with wearable devices, or even voice patterns in specific conditions.

How Does Ambient Noise Impact Acoustic Attacks?

Ambient noise can interfere with the precise capture of sound signals. In noisy environments, it might be challenging for an attacker to decipher the relevant data from background noise. However, sophisticated algorithms might still filter out the noise to some extent.

Can Acoustic Attacks Be Conducted Remotely, or Do Attackers Need To Be Nearby?

While many acoustic attacks require proximity to capture high-quality sound, some scenarios, like a compromised device or app transmitting sound data, allow for remote attacks.

Passwords Have to Go

While acoustic attacks present a worrying new reality for password security, it’s fair to say the writing has been on the wall for some time.

For example, one report found that 81% of hacking-related breaches leveraged stolen or weak passwords. It’s statistics like this and others, that have contributed massively to the evolution of password security. Over the years, reputable security bodies like NIST have changed their advice on password hygiene to help combat the ever-shifting limitations of passwords. But no matter the solution, cyber criminals always find a way to bypass it.

Let’s start with the most basic. Convincing people to create strong passwords has always been a challenge. Research by NordPass found that the average person has 100 passwords. And with this in mind, it’s easy to see why password reuse is so common.

And then there’s password strength – how effective a password is against guessing or brute-force attacks. A NordPass survey found that an eye-watering 24% of Americans have used some variation of these weak passwords: 123456, Iloveyou, abc123, Password, Qwerty, Admin, and Welcome.

For many years, security experts recommended people choose complex passwords with at least seven characters, including uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !. However, advice has shifted in recent years. For example, NIST has now removed requirements for special characters, numbers, and uppercase characters to reduce insecure human behavior (people reusing passwords or writing them down). Instead, they recommend password length over complexity.

In a similar move, NIST now recommend against password expiration rules, where IT teams demand users change their password every 30, 60, or 90 days. Again, this is because it promotes insecure human behavior – people typically just change their password by one character rather than coming up with a new, unique password.  Instead, they recommend IT departments continuously check username and passwords against known stolen credential lists, or opt for passwordless authentication.

Perhaps the most popular method of making passwords more secure today is two-factor authentication (2FA) or multi-factor authentication (MFA). However, while 2FA and MFA are much more secure than a sole username and password combination, they still have their limitations:

• Phishing Attacks: Cybercriminals can create fake login pages to steal both passwords and the secondary authentication code. Once both are obtained, unauthorized access is possible.
• Man-in-the-Middle Attacks: With MitM attacks, malicous actors can intercept communication between a user and a legitimate service, capturing both the password and the 2FA code.
• Loss of Device: If a user loses the device where they receive 2FA codes (e.g., a phone), they may be locked out, or a finder could potentially gain access.
• SIM Swapping: Attackers can trick mobile providers into switching a user’s phone number to a new SIM card. This allows them to receive 2FA SMS codes meant for the victim.

The bottom line is this. Even before the threat of sophisticated acoustic attacks, passwords were already proving they were no longer fit for the modern cyber threat landscape. And as a result, most security-focused organizations were already moving away from passwords in favor of more secure authentication methods.

However, acoustic attacks should accelerate this move. It doesn’t matter how strong or complex your password is if you’re being listened to. That leads us to the solution – passwordless authentication and certificate-based authentication.

Passwordless Authentication

Passwordless authentication, as the name suggests, eliminates passwords from the equation, thereby removing all the drawbacks of passwords.

And beyond improving security, it’s favored for its user-friendliness. Remembering a multitude of complex passwords can be a daunting task for many. On the other hand, biometric recognition or single-use codes sent to a personal device are more intuitive and significantly more challenging for cybercriminals to replicate. Such methods draw from unique individual traits or temporary data, ensuring a more stringent layer of defense against unauthorized access.

Moreover, from a business perspective, passwordless systems reduce the costs and resources required for password-related support. Forgotten passwords result in support tickets, employee downtime, and potential breaches. With passwordless solutions, these issues become a thing of the past.

Here are some common types of passwordless authentication:

• One-Time Passcodes (OTPs): Typically sent via SMS, email, or in-app notifications.
• Biometrics: Includes fingerprint recognition, facial recognition, voice recognition, and iris or retinal scanning.
• Authenticator Apps: Generate time-sensitive codes or push-based approvals.
• Hardware Tokens: Physical devices (e.g., USB keys) that produce or store authentication credentials.
• Software Tokens: Virtual versions of hardware tokens, often in app form.
• Certificate-Based Authentication: Utilizes digital certificates to prove identity and establish trust without needing a password.

Let’s dive deeper into certificate-based authentication, which is becoming a top favorite for businesses worldwide.

Certificate-Based Authentication

Let’s dive into everything you need to know about certificate-based authentication.

What are Digital Certificates?

Digital certificates function much like passports in the digital world, serving as electronic credentials for individuals, websites, or devices. These certificates are issued by trusted entities known as Certificate Authorities (CAs). Just as a passport vouches for an individual’s identity during international travel, a digital certificate confirms the authenticity of its holder in the digital realm.

Each certificate contains a public key and details about its owner’s identity, such as their name or domain. This facilitates secure cryptographic communications, ensuring that data remains confidential and unaltered. When two devices or individuals communicate, their certificates validate each other’s authenticity, preventing deceptive interventions. These certificates are the backbone of internet security, safeguarding users from deceptive attacks and ensuring genuine, secure digital interactions.

Your Digital Fortress: The Strength of Certificates

Certificate-based authentication operates on the principle of asymmetrical cryptography, where you and the system share a unique set of cryptographic keys. Envision it as a high-security facility where entry is granted only to those possessing a cryptographic smart card. Here, your digital certificate is analogous to that smart card, encapsulating your public key and other relevant metadata. In contrast, the certificate authority (CA) acts as the security protocol ensuring only verified entities gain access.

If someone aims to penetrate this secure facility without an authorized certificate, they’d be thwarted. Using a counterfeit or compromised key won’t bypass the intricate cryptographic handshake process. In certificate-based authentication, the digital certificate, bound uniquely to you and your device, is signed with the CA’s private key. Hence, even if malicious actors capture your certificate, they can’t wield it effectively without the corresponding private key.

This level of security can be likened to having an RSA-encrypted vault within your network. Certificate-based authentication becomes a formidable barrier due to the complexity and mathematical backbone of asymmetric encryption.

Navigating the Challenges

Granted, the intricacies of certificate-based authentication can be more nuanced than the typical username-password schema. It necessitates a robust public key infrastructure (PKI) either internally or through external trusted CAs. Acquiring, renewing, and revoking certificates, especially in large-scale environments, demands a meticulous management system.

Not all applications or network systems natively support certificate-based authentication. Transitioning may require middleware solutions or infrastructure overhauls. Moreover, once the system is in place, comprehensive training on PKI and digital certificate management becomes essential for IT personnel.

But as cyber threats evolve, the enhanced protection offered by certificate-based authentication is drawing increased attention. Despite its complexities, it’s fast becoming the gold standard for organizations aiming for rigorous security.

How Secure Are Digital Certificates?

Strengths:

• Authentication: Digital certificates provide a means to authenticate the identity of entities online, ensuring users communicate with genuine servers or users.
• Encryption: They facilitate encrypted communication between browsers and servers, protecting data in transit from eavesdropping.
• Data Integrity: They ensure data hasn’t been tampered with during transmission.
• Trust: Established by trusted third-party Certificate Authorities (CAs), which are recognized and accepted by major browsers and operating systems.
• Public Key Infrastructure (PKI): Operates on a secure framework where pairs of private and public keys are used, making unauthorized access challenging.

Weaknesses:

• CA Compromise: If a trusted CA gets breached, attackers can create counterfeit certificates, enabling deceptive activities like man-in-the-middle attacks.
• Phishing Attacks: Cybercriminals can design counterfeit sites and, in some instances, get deceptive certificates, misleading users into believing they’re on genuine websites.
• Certificate Expiry/Revocation: Outdated or nullified certificates can pose security risks. Users might encounter alerts, or adversaries can exploit these for nefarious activities.
• Weak Encryption Algorithms: Older certificates might employ deprecated or feeble encryption techniques, rendering them susceptible to cryptographic attacks.

Unpacking the Role of a Certificate Authority (CA)

At its core, a Certificate Authority (CA) operates as the digital notary or guarantor of the Internet. It’s a third-party organization recognized for its role in vouching for the digital identities of entities—whether they’re individuals, organizations, or devices.

Delving deeper, the pivotal role of a CA is to rigorously ascertain and validate the legitimacy of an entity that seeks a digital certificate. This involves meticulous vetting processes where the CA ensures the authenticity of the information presented to it. Once the entity’s identity passes these stringent checks, the CA then furnishes a digital certificate, embedding the entity’s public key, facilitating encrypted exchanges online.

Imagine a scenario where you browse a website possessing a certificate granted by a reputable CA. Your browser, programmed to trust this CA, will scrutinize the certificate, affirming the website’s authenticity before forging a secure connection. This foundational trust mechanism fortifies the digital landscape against deceptive threats such as phishing or man-in-the-middle attacks.

What Are the Different Kinds of Certificate Authorities?

There are primarily two certificate authorities (CA) categories: public and private.

Public Certificate Authorities

These are commercial entities that provide digital certificates to the general public. Web browsers, operating systems, and various software routinely trust these authorities to dispense certificates for secure online communications. Due to their critical role, public CAs are bound by rules and must adhere to specific industry criteria to guarantee the integrity and dependability of their certificates. Renowned public CAs include Let’s Encrypt, Comodo CA, DigiCert, and GlobalSign.

Private Certificate Authorities

Often referred to as internal CAs, these are exclusively used by corporations to generate digital certificates for their internal purposes. Such CAs aren’t externally trusted and don’t come under the regulations that public CAs do. They’re commonly employed in corporate settings to facilitate secure exchanges between internal devices and services. While they offer enhanced control over certificate generation and oversight, they demand a more hands-on approach in terms of setup and upkeep. Examples of private CAs comprise Microsoft Certificate Services, OpenSSL, and EJBCA.

Furthermore, there are also state-sanctioned certificate authorities. These are public CAs run by governmental bodies to disseminate digital certificates for protected interactions within governmental agencies and affiliated entities. These certificate providers adhere to rigorous regulations and assessments to safeguard the privacy and security of data in transit.

Who Oversees Certificate Authorities?

Various entities oversee certificate authorities (CAs):

1. Web browser and OS manufacturers: They maintain and update lists of trusted CAs, potentially revoking trust from non-compliant ones.
2. Industry groups: Groups like the CA/Browser Forum set benchmarks and best practices for CAs.
3. Governmental agencies: In some countries, CAs are regulated by specific governmental departments, such as the FTC and NIST in the U.S.
4. Reviewers: Third-party entities like WebTrust or ETSI conduct audits to ensure CAs comply with industry standards.
5. End-users: Their trust determines a CA’s market reputation and influence.

Certificate-Based Wi-Fi Authentication Explained

Certificate-Based Wi-Fi authentication is a security protocol that leverages digital certificates to verify and establish the identity of users or devices connecting to a Wi-Fi network. Unlike traditional password-based methods, this approach utilizes cryptographic keys, making it a more secure option.

Here’s how it works:

• The Wi-Fi admin sets up a certificate authority (CA) server to issue digital certificates to authorized users and devices.
• Users or devices trying to connect must present their digital certificate to the network.
• The network checks the certificate against the CA server. If valid, access is granted.
• The certificate contains details like identity and a public key for a secure connection to the Wi-Fi.

Why Use Certificate-Based Wi-Fi Authentication?

1. Enhanced Security: Unlike passwords that can be easily shared, guessed, or cracked, digital certificates are unique to each device or user. They involve both public and private encryption keys, making unauthorized access extremely difficult.
2. Ease of Management: For organizations with a large number of devices, managing passwords can be a significant burden. On the other hand, certificate-based authentication allows for a streamlined process. Devices can be quickly enrolled or revoked through the central management of certificates.
3. Reduced Overhead: Frequent password changes, forgotten passwords, and password-related helpdesk requests can be reduced or eliminated entirely, reducing administrative overhead.
4. Trustworthiness: By establishing a chain of trust with the certificate authority, the integrity and authenticity of devices and users on the network are ensured.

What’s the Best Approach for Certificate-Based Wi-Fi Authentication in Corporate Settings?

Corporate networks often employ various methods for certificate-based Wi-Fi authentication. The best choice will depend on the specific needs of the organization. Here are some prevalent methods:

1. EAP-TLS: A popular option, it involves mutual authentication between the client device and the network using digital certificates, offering robust encryption and authentication.
2. PEAP: PEAP is a EAP variant that adds an encrypted tunnel for safer authentication credential exchange, frequently combined with EAP-TLS for enhanced security.
3. SCEP: With SCEP, an open-source management protocol, certificates can be issued automatically by IT adminstrators.
4. EAP-TTLS: Incorporating a two-step authentication, the client first offers a digital certificate, followed by authentication credentials. It can be paired with methods like PEAP for added security.
5. EAP-SIM: Suited for mobile devices, it leverages SIM cards for authentication on Wi-Fi networks.

Typically, EAP-TLS is seen as the most secure, providing potent encryption and mutual authentication. Nevertheless, the chosen method should align with an organization’s specific demands.

Final Thoughts

Certificate-based authentication diminishes the risk of acoustic attacks and other intrusions. Remember, acoustic attacks exploit sounds produced during keystrokes to discern passwords. By eliminating the need for password entry, this method inherently neutralizes such threats.

Moreover, passwordless systems remove vulnerabilities like password reuse, guesswork, and phishing, as there are no passwords to be stolen or intercepted. By employing digital certificates, which validate a user’s identity through cryptographic means, the system ensures a robust and secure authentication process resistant to a variety of conventional attack vectors.