Identification of pressed keys by time difference of arrivals of mechanical vibrations

Highlights

• We identify the pressed keys of commercial PIN-pads by monitoring the arrival times of mechanical vibrations.

• We correctly classify the pressed key with 96.4% of accuracy.

• The certification processes does not address this new side-channel attack.

• We explain what are the design flaws responsible for this vulnerability.

Abstract

The possibility of finding the sequence of pressed keys in a mechanical keyboard is a serious security threat. In our previous work, we have shown that it is possible to identify, with high probability, the pressed key by analyzing the vibration generated by the keystrokes. At that time, we did not know the physical phenomenon responsible for leaking information as mechanical vibration. In this paper, we show that the TDOA (Time Difference of Arrivals) of the mechanical waves is the main culprit for leaking information. To demonstrate this hypothesis, we glued three accelerometers in a PIN-pad, collected the vibrations generated by the keystrokes and computed the relative delays of vibration arrival times in pairs of accelerometers. We show that it is possible to estimate the positions of the keys through simple difference of the delays. A simple classification scheme using the delays yielded 96.4% of recognition success rate. The same technique can be used to attack devices with touch-sensitive screen, identifying the region touched.

Introduction

Mechanical keypads are widely used for entering confidential data. Confidential passwords are typed in mechanical keypads in ATMs (automatic teller machines) or PIN-pads (devices used in smart card transactions to input the cardholder's personal identification number). In some countries, including Brazil, electors use electronic voting machines with mechanical keyboards to choose the candidate. Thus, the possibility that someone finds out the sequence of pressed keys, without the user's knowledge or consent, is a serious security threat. In card operations, the theft of card information in an otherwise legitimate transaction, known as “skimming”, was responsible for 87% of attacks against ATMs in 2013, as reported in the Verizon, Verizon 2014 Data Breach Investigations Report (2014).

In a previous work (Faria and Kim, 2013), we have shown that it is possible to identify the pressed key with high probability by gluing accelerometers in the device, acquiring acceleration signals generated by keystrokes and analyzing these signals. We called it “vibration attack”.

Usually, modern ATM keypads are encrypted. They are sealed modules that encrypt the PIN soon after the entry. So, non-encrypted PIN numbers are not meant to be accessible from outside either by physically tapping onto wires or remotely sensing electromagnetic radiation. Any tampering of the keypad causes it to permanently disable itself. Similarly, PIN-pads are protected modules that permanently disable themselves if tampered. The possibility of identifying the sequence of pressed keys through mechanical vibrations is a serious security failure of secure keypads because they are designed to resist against any attempt of eavesdropping. The devices will continue functioning normally while passwords are stolen.

When we wrote our previous paper, we did the experiments without knowing the physical phenomenon responsible for the leak of information. We extracted a lot of features from the vibration signals (up to 165 features per keystroke) and fed machine learning algorithms with them in an attempt to identify the pressed key. This was enough to certify the existence of the problem, but without a satisfactory explanation of the underlying phenomenon.

In this work, we show that the propagation delay of the transverse wave generated by the keystroke is the main phenomenon responsible for the information leaking. With this knowledge, in this work we use much less features per keystroke (2 instead of up to 165) and less training data (100 or 200 keystrokes per experiment instead of up to 2400 keystrokes) and obtain similar classification success rates than in our earlier work. This result is somewhat surprising, because PIN-pad is far from being a homogeneous medium, and one would expect that the vibration propagation velocities were different in different regions of the device. To provide our technique a short name, we will call it “vibration delay attack”.

It is also possible to estimate the position of the pressed key (the source of the wave) through a simple 2-D trilateration of the relative delays of the signals captured by the accelerometers. This is a well known technique in a variety of fields by terms like TDOA (Time Difference of Arrivals) or simply “time of flight”. For instance, the accurate measurement of these delays is the basis of GPS (global positioning system) and other geolocation systems. Geophysicists and seismologists also use it in order to locate the epicenters of earthquakes and of other seismic events (Tarantola, 2005). In our case, the position of the key is analogous to the epicenter of an earthquake.

In the literature, there are some papers that identify the pressed key by sound, because each key usually emits a characteristic sound when pressed. Asonov and Agrawal (2004) achieved 79% of key recognition success rate when identifying one out of 30 keys in a PC keyboard. Berger et al. (2006) use keyboard acoustic emanations and a dictionary to recognize correctly 73% of the English words typed in a PC keyboard, without any training. Zhuang et al. (2009) take as input 10-minute sound recording of a user typing English text using a keyboard and recover up to 96% typed characters. Halevi and Saxena (2012) use keyboard acoustic emanations for eavesdropping over random passwords, without using dictionary, achieving 40% to 64% recognition rate per character.

Similarly to acoustic emission, each key seems to emit a characteristic mechanical vibration when pressed. However, this idea has been much less explored in the literature. Marquardt et al. (2011) use this idea to recognize keystrokes of a computer keyboard. They use the accelerometer of a smartphone placed near the computer's keyboard to capture the vibrations. They do not actually identify the pressed key. Instead, they classify keystrokes in “left” or “right” and pairs of keystrokes in “near” and “far”. They achieved classification rates from 65% to 91% making those binary decisions.

The phenomenon identified in this work is of a different nature: even if it were possible to have all the keys emit exactly the same sound and the same mechanical vibration, it would be still possible to identify the pressed key by the arrival times of the vibration wave. Our purpose in this work is neither to select the most appropriate classifier nor to achieve extremely high recognition rates. Instead, our primary aim is to show that there is one more physical phenomenon that can be used to identify the pressed key by means of a simple location technique, but applied in a complex non-homogeneous medium. Most of location experiments use relatively homogeneous solids, like concrete, metal, glass, acrylic etc. and not composite ones, like a PIN-pad. We use in all experiments only the relative delays as features and a simple Naive Bayesian classifier. If we add other features and fine-tune the classifier, probably we would achieve higher success rates. Additionally, our finding also opens the possibility of attacking touch-screen devices, because the same phenomenon occurs when the user interacts with them. Note that touch-screen devices cannot be attacked using acoustic emanations.

The literature on trilateration comes from diverse fields of research. Maochen Ge discusses the source location theories and methods that are used for earthquake, microseismic and acoustic emission (Ge, 2003a, Ge, 2003b). He analyzes the principles of source location methods and mentions the main causes of inaccuracy, for instance, imprecision of sensor positions and errors in arrival time measuring. Geolocation methods based on measuring the time difference of arrivals (TDOAs) of signals received from several geostationary satellites are presented in (Gustafsson, Gunnarsson, 2003, Ho, Chan, 1993, Manolakis, 1996). Ho and Chan present a method that solves a set of nonlinear equations to estimate the location (Ho and Chan, 1993). Gustafsson and Gunnarsson compare a Monte Carlo method and a gradient search algorithm (Gustafsson and Gunnarsson, 2003). Schumacher et al. propose a Bayesian approach for the problem of source location in the materials research (Schumacher et al., 2012). Arun et al. (2011) develop a location method based on Kullback–Leibler discrimination information criteria on spectra of acceleration signals, testing the method on a large aluminium plate.

The rest of the paper is organized as follows. Basic theory on transverse waves is described in Section 2. We apply the vibration delay attack in two devices: a simple mockup keypad in Section 3 and a commercial PIN-pad designed to be secure in Section 4. We make some considerations comparing the previous results with the new ones in Section 5 and present our conclusions in Section 6. Appendixes present the definition of normalized cross correlation (used to estimate the relative delay between two signals) and the source location estimation method.