Security researchers from the University of California, Irvine; the Sapienza University of Rome; and the University of Padua were able to reconstruct the sound of keystrokes as text from Skype voice and video calls. Malicious eavesdroppers could use this method to intercept sensitive and personal information of Skype users.
Over the past few years, there has been more research into how keystroke sounds could be converted into the text that the surveillance target wrote at the time of the recording. However, those previous demonstrated attacks were not especially practical in the real world, according to the researchers of the current study.
In the previous studies, the attackers would need to be in close proximity to the target. They also needed to have precise profiling of the victim’s typing style and keyboard, as well as a significant amount of the victim’s typed information and its corresponding sounds.
The researchers developed a new type of practical keyboard acoustic eavesdropping attack, which they called “Skype & Type” (S&T). The idea behind this research was that many people do other activities, such as typing on their keyboards, while they do VoIP (Voice-over-IP) calls.
According to the researchers’ paper, VoIP software can acquire acoustic emanations of pressed keystrokes and then transmit them to others in the call. Normally, this wouldn’t be an issue if you trust the person on the other side of the line, but calls can be intercepted, and the eavesdropper could be capturing the VoIP users’ keystrokes.
An attacker could capture keystrokes this way with an accuracy of 41.89% if there is absolutely no knowledge of the keyboard being used or of the target’s typing style. However, the accuracy goes up to 91.7% if there is some knowledge about the keyboard used and the user’s typing behavior. The researchers also noted that the “Skype & Type” attack is resilient against various bandwidth issues, confirming the feasibility of the attack.
The researchers tested the attack only on a few laptops so far, which they thought would be a representative sample. Skype is also likely the most often used VoIP application on the desktop, so it made sense to test that application first. However, in the future, the researchers plan to use more laptop models to verify whether this attack can work well enough across all laptops.
They also plan to test other applications such as Google’s Hangouts, and also create countermeasures to the attack they’ve already developed, so Microsoft, Google, and other companies can protect their users from this type of eavesdropping.