Top

International Journal of Information Security

Published in:

16-02-2018 | Regular Contribution

Differential audio analysis: a new side-channel attack on PIN pads

Authors: Gerson de Souza Faria, Hae Yong Kim

Published in: International Journal of Information Security | Issue 1/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This paper introduces a low-cost side-channel attack that identifies the pressed key of tamper-proof mechanical keypads by exploiting the sound that emanates from the pressed key. Classical sound-based attacks usually identify the pressed key using the fact that each key emits a characteristic sound. These techniques use, for example, the frequency spectrum to identify the key. Instead, our attack (named DAA—differential audio analysis) analyzes the differential characteristics of the sounds captured by two microphones placed inside the empty space of the device, expressed as the transfer function between the two signals. We applied our attack to four PIN entry devices—also known as PIN pads. Our technique was able to correctly recognize all 1200 keystrokes of two independently tested equipments of the same model, generating a classification rate of 100%. We also attacked the same PIN pads using the classical frequency spectrum technique, obtaining the average classification rate of only 78%. This result shows clearly the superiority of the new technique. Our attack also successfully attacked a second model from another manufacturer, with classification rate of 99.8%. However, some PIN pads do not emit sufficiently audible sound when a key is pressed. Evidently, these devices cannot be attacked analyzing audio emission. We applied our DAA attack to a device of this kind and obtained only 63% of classification success. This result shows that there are models quite vulnerable and models not as vulnerable to our attack. Finally, we present design suggestions in order to mitigate the vulnerabilities that make our attack possible. These vulnerabilities are present in many certified PIN pad models available currently in the worldwide market.

previous article Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

next article Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

EMV stands for Europay, MasterCard and Visa, the original developers of the platform that promotes hardware and software standards for electronic payments using smartcards.

PCI-PTS-POI stands for Payment Card Industry - PIN Transaction Security - Point of Interaction, a set of requirements specific for PIN entry devices, proposed by the PCI. Device compliance can be consulted at https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php.

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. http://www.commoncriteriaportal.org.

https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-20142.

Most PIN pads can be configured to emit a feedback “beep” when a key is pressed. This sound can be easily identified and removed from the signal, because it begins only after the “click” finishes. If the “beep” sound interferes with the attack (which is unlikely), then this sound can be turned off by the sales clerk (who is supposedly collaborating with the attacker).

The audio level was measured through the iPhone application “Decibel 10th” https://itunes.apple.com/br/app/decibel-10th-professional/id448155923?mt=8.

https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-10173.

https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-20112.

“There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring–even with the cooperation of the device operator or sales clerk–without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation, as defined in Appendix B.”[22, p. 20].

FICO Reports a 70 Percent Rise in Debit Cards Compromised at U.S. ATMs and Merchants in 2016 (2017), http://www.fico.com/en/newsroom/fico-reports-a-70-percent-rise-in-debit-cards-compromised-at-us-atms-and-merchants-in-2016-03-29-2017. Accessed 10 Nov 2017

How the Shift to EMV Is Faring (So Far) (2016) http://www.americanbanker.com/gallery/how-the-shift-to-emv-is-faring-so-far-1080295-1.html. Accessed 3 Jan 2017

Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing, In: Proceedings of IEEE Symposium on Security and Privacy, pp. 281–295 (2008)

Asonov, D., Agrawal, R.: Keyboard acoustic emanations. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 3–11 (2004)

Berger, Y., Wool, A., Yeredor, A.: Dictionary Attacks Using Keyboard Acoustic Emanations. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 245–254 (2006)

Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. 13(1), 3 (2009)CrossRef

Halevi, T., Saxena, N.: A Closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 89–90 (2012)

Zhu, T., Ma, Q., Zhang, S., Liu, Y.: Context-free attacks using keyboard acoustic emanations. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 453–464 (2014)

Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., Sporleder, C.: Acoustic side-channel attacks on printers. In: Proceedings of USENIX Security symposium, pp. 307–322 (2010)

10.

Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Proceedings of International Cryptology Conference, pp. 444–461 (2014)

11.

Kuhn, M.G.: Compromising emanations: eavesdropping risks of computer displays. Ph.D. thesis, University of Cambridge (2002)

12.

Kuhn, M.G.: Compromising emanations of LCD TV sets. IEEE Trans. Electromagn. Compat. 55(3), 564–570 (2013)MathSciNetCrossRef

13.

Marquardt, P., Verma, A., Carter, H., Traynor, P.: (Sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 551–562 (2011)

14.

Faria, G.S., Kim, H.Y.: Identification of pressed keys from mechanical vibrations. IEEE Trans. Inf. Forensics Secur. 8(7), 1221–1229 (2013)CrossRef

15.

Faria, G.S., Kim, H.Y.: Identification of pressed keys by time difference of arrivals of mechanical vibrations. Comput. Secur. 57, 93–105 (2016)CrossRef

16.

Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 2. Springer, Berlin (2008)CrossRefMATH

17.

Faria, G.S., Kim, H.Y.: Identification of pressed keys by acoustic transfer function. In: Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, pp. 240–245 (2015)

18.

Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 1. Springer, Berlin (2008)CrossRefMATH

19.

Kay, S.M.: Modern Spectral Estimation. Pearson, New York (1988)MATH

20.

Stoica, P., Moses, R.L.: Spectral Analysis of Signals. Pearson Prentice Hall, New York (2005)

21.

Krebs On Security—Pro-Grade Point-of-Sale Skimmer (2013). http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer. Accessed 5 Mar 2013

22.

Payment Card Industry—Security Standards Council LLC, PIN Transaction Security (PTS) Point of Interaction (POI) Modular Derived Test Requirements v5.0 (2016). https://www.pcisecuritystandards.org/pci_security/dtr (registration required). Accessed 9 Nov 2017

Title: Differential audio analysis: a new side-channel attack on PIN pads
Authors: Gerson de Souza Faria
Hae Yong Kim
Publication date: 16-02-2018
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2019
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-018-0403-7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2019

Design and implementation of Negative Authentication System

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Deployment and performance evaluation of mobile multicoupon solutions

Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM

Defeating SQL injection attack in authentication security: an experimental study

Premium Partner