ACOUSTIC SIDE CHANNEL ATTACKS (ASCAs)
WHY IN NEWS ?
- Recently, a research paper titled “A Practical Deep Learning Based Acoustic Side Channel Attack on Keyboards”, published and supported by the ethics committee of Durham University, U.K.
MORE ABOUT THE RESEARCH PAPER:
- The paper revealed that Artificial Intelligence (AI) can be used to decode passwords by analysing the sound produced by keystrokes.
- The study highlighted the accuracy of Acoustic Side Channel Attacks (ASCA) when state of the art deep learning models were used to classify laptop keystrokes and their mitigation.
- While ASCA is not new, the development of AI and deep learning has increased the risks posed by side channel attacks.
WHAT ARE ACOUSTIC SIDE CHANNEL ATTACKS ?
- In an ASCA, the sound of clicks generated by a keyboard is used to analyse keystrokes and interpret what is being typed to leak sensitive information.
- These attacks are particularly dangerous as the acoustic sounds from a keyboard are not only readily available but also because their misuse is underestimated by users.
- While most users hide their screens when typing sensitive information, no precautionary steps are taken to hide the sound of the keystrokes.
- Though over time, the sound of keyboard clicks has become less profound with devices making use of nonmechanical keyboards.
- The technology with which the acoustics can be accessed and processed has also improved drastically.
- Additionally, the use of laptops has increased the scope of ASCAs as laptop models have the same keyboard making it easier for AI-enabled deep learning models to pick up and interpret the acoustics.
WHAT ARE SIDE CHANNEL ATTACKS ?
- SCAs are a method of hacking a cryptographic algorithm based on the analysis of auxiliary systems used in the encryption method.
- These can be performed using a collection of signals emitted by devices, including electromagnetic waves, power consumption, mobile sensors as well as sound from keyboards and printers to target devices.
- Once collected, these signals are used to interpret signals that can be then used to compromise the security of a device.
ACCURACY OF ASCAs:
- The research investigated the use of audio recordings taken from Zoom video conferencing calls, smartphone microphones, and off-thes-helf equipment and algorithms to launch ASCA attacks.
- The study found that when trained on keystrokes by a nearby phone, the classifier achieved an accuracy of 95%.
- The highest accuracy seen without the use of a language model.
- When a deep learning model was trained on the data with default values, the model was able to acquire a meaningful interpretation of the data.
- On a MacBook Pro, which features a keyboard identical in switch design to Apple’s models from the last two years, the model was able to achieve state of the art accuracy with minimal training data.
- Additionally, when the AI model was made to recognise keystrokes using audio captured through a smartphone microphone, it was able to achieve 95% accuracy.
- However, accuracy dropped to 93% when Zoom calls were used.
- This kind of cryptanalysis can be defeated by generating sounds that are in the same spectrum and same form as keypresses.
- Using touchbased typing can also reduce the chances of successful keystroke recognition from 64% to 40%, making it more difficult for threat actors to leak sensitive information.
- If sounds of actual keypresses are randomly replayed, it may be possible to totally defeat such kinds of attacks.
- It is advisable to use at least 5 different recorded variations (36 x 5 = 180 variations) for each keypress to get around the issue of FFT fingerprinting.
- Alternatively, white noise of a sufficient volume (which may be simpler to generate for playback) will also mask the acoustic emanations of individual keypresses.
- As the study found that even deep learning models had a difficult time recognising the use of shift key to change the case of alphabets when typing. Thus, users should also avoid the use of easily recognisable phrases which can make it easier for AI models to predict the text.
SYLLABUS: MAINS, GS-3, INFORMATION TECHNOLOGY
SOURCE: THE HINDU