Is VoIP Eavesdropping on Keystrokes a Risk?
by Nate Rand
Researchers from three universities found it’s possible to eavesdrop on a computer’s keystrokes through a desktop VoIP connection. Whether this is a serious risk is an open question, but it’s one more reason keystroke noise suppression is worth having. Whether it’s because it’s a security risk or a nuisance, callers would be better off without the noise.
The researchers call the interception a “Skype and type” attack, though it’s not specific to Skype. If you type in a password while you’re connected on a call, your microphone will pick up the keystrokes, and software can determine what keys you typed.
Listening to the keyboard
It’s already established that placing a microphone next to a keyboard can pick up enough information to identify a large portion of its keystrokes. The same is true when the sound goes over a VoIP connection.
If you log into a website while on a call and type your password, someone with access to the voice stream could snatch it. The study found that with no knowledge of the keyboard or the user’s typing style, they could get 40% accuracy on some computer models. With a small “training sample” of known keystrokes, they could get up to 91.7%. Curiously, having a cheap computer offers some protection. The better the keyboard, the more reliable acoustic interception is.
Laptops with built-in microphones are the main risk, since they’ll pick up keystrokes at a high volume, loud enough that the caller’s voice won’t mask them. The speaker has to be louder than the keystrokes to interfere.
The technique is called “model profiling.” The attacker has keyboard sound data on a variety of widely used laptops. The first step is to match the keystroke sounds against one of the models; then specific keys can be matched by sound. If the attacker can collect some typing with known content, such as a chat message, the accuracy can rise above 90%.
Is it really an issue?
Is this a risk worth worrying about? Even if you don’t completely trust the people you talk with, hopefully you trust them not to engage in high-tech spying on you. However, if your calls don’t have end-to-end encryption, someone could intercept them and extract the key clicks.
If you’re engaged in secret communication, such as discussion of valuable trade secrets or government-classified documents, you shouldn’t talk on an unencrypted line anyway. If you aren’t concerned about whether people can listen in on your calls, the possibility of intercepting key clicks shouldn’t add much to your concerns. There are easier and more reliable ways to pilfer information from an unencrypted voice connection.
If you are concerned, there are several ways to reduce the risk:
- Mute your connection while typing a password. Muting while making keyboard noise is a courteous thing to do, apart from security concerns.
- Type as little as possible while connected. That’s also courteous.
- Log in to any needed services before placing the call.
- Use a password manager, so you don’t have to type the password.
- Use long and hard-to-guess passwords. You do that anyway, don’t you?
These are good practices in general, but it’s hard to keep them in mind during a call. A more promising approach is the use of software to reduce ambient noise in conversations. Aside from any security concerns, it improves the calling experience by eliminating keyboard noise, background hum or hiss, and other extraneous sounds.
Work in this area is still progressing, and there are inherent mathematical limits on the separation of audio signals that have been mixed together. However, if spyware can recognize key clicks, so can VoIP software, so filtering that focuses on key click elimination can work better than general noise elimination. Intelligent key click elimination is likely to become a standard feature or popular add-on for VoIP software in the near future. With both security and call quality as motives, software developers now have more reason to work on this area.
We provide the expertise to select your VoIP system and keep it secure. Contact us to learn more.
March 25, 2017
March 23, 2017