Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency...
Transcript of Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency...
![Page 1: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/1.jpg)
slide 1
Vitaly Shmatikov
CS 361S
Side-Channel Attacks:
Acoustics and Reflections
![Page 2: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/2.jpg)
slide 2
Reading
“Keyboard Acoustic Emanations Revisited” by Zhuang, Zhou, and Tygar (CCS 2005)
“Compromising Reflections: How to read Computer Monitors around a Corner” by Backes, Duermuth, and Unruh (S&P 2008)
• Also “Tempest in a Teapot: Compromising Reflections Revisited” (S&P 2009)
![Page 3: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/3.jpg)
Acoustic Information in Typing
Different keystrokes make slightly different sounds
• Different locations on the supporting plate
Frequency information in the sound of typed key can be used to learn which key it is
• Observed by Asonov and Agrawal (2004) slide 3
![Page 4: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/4.jpg)
“Key” Observation
Exploit the fact that typed text is non-random (for example, English)
• Some letters occur more often than others
• Limited number of valid letter sequences (spelling)
• Limited number of valid word sequences (grammar)
Build acoustic model for keyboard and typist
slide 4
![Page 5: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/5.jpg)
Sound of a Keystroke
Each keystroke is represented as a vector of Cepstrum features
• Fourier transform of the decibel spectrum
• Standard technique from speech processing
slide 5
[Zhuang, Zhou, Tygar]
![Page 6: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/6.jpg)
Bi-Grams of Characters
Group keystrokes into N clusters
Find the best mapping from cluster labels to characters
Exploit the fact that some character combinations are more common than others
• Example: “th” vs. “tj”
• Unsupervised learning using Hidden Markov Models
slide 6
5 11 2
“t” “h” “e”
[Zhuang, Zhou, Tygar]
![Page 7: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/7.jpg)
Tri-grams of Words
Spelling correction
Simple statistical model of English grammar
Use HMMs again to model
slide 7
[Zhuang, Zhou, Tygar]
![Page 8: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/8.jpg)
Two Copies of Recovered Text
_____ = errors in recovery = errors corrected by grammar
slide 8
Before spelling and grammar correction
After spelling and grammar correction
[Zhuang, Zhou, Tygar]
![Page 9: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/9.jpg)
Feedback-based Training
Language correction of recovered characters
Feedback for more rounds of training
Output: keystroke classifier
• Language-independent
• Can be used to recognize random sequence of keys
– For example, passwords
• Many possible representations
– Neural networks, linear classification, Gaussian mixtures
slide 9
[Zhuang, Zhou, Tygar]
![Page 10: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/10.jpg)
Experiment: Single Keyboard
Logitech Elite Duo wireless keyboard
4 data sets recorded in two settings: quiet and noisy
• Consecutive keystrokes are clearly separable
Automatically extract keystroke positions in the signal with some manual error correction
[Zhuang, Zhou, Tygar]
slide 10
![Page 11: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/11.jpg)
Results for Single Keyboard
slide 11
Recording length Number of words Number of keys
Set 1 ~12 min ~400 ~2500
Set 2 ~27 min ~1000 ~5500
Set 3 ~22 min ~800 ~4200
Set 4 ~24 min ~700 ~4300
Set 1 (%) Set 2 (%) Set 3 (%) Set 4 (%)
Word Char Word Char Word Char Word Char
Initial 35 76 39 80 32 73 23 68
Final 90 96 89 96 83 95 80 92
[Zhuang, Zhou, Tygar]
Datasets
Initial and final recognition rate
![Page 12: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/12.jpg)
Experiment: Multiple Keyboards
Keyboard 1: Dell QuietKey PS/2
• In use for about 6 months
Keyboard 2: Dell QuietKey PS/2
• In use for more than 5 years
Keyboard 3: Dell Wireless Keyboard
• New
slide 12
[Zhuang, Zhou, Tygar]
![Page 13: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/13.jpg)
Results for Multiple Keyboards
12-minute recording with app. 2300 characters
Keyboard 1 (%) Keyboard 2 (%) Keyboard 3 (%)
Word Char Word Char Word Char
Initial 31 72 20 62 23 64
Final 82 93 82 94 75 90
[Zhuang, Zhou, Tygar]
slide 13
![Page 14: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/14.jpg)
Compromising Reflections
Typical office: monitor faces away from window
Screen is reflected in surrounding objects
• Teapots, eyeglasses, bottles, etc.
Use a commodity telescope to capture reflection from a distance (up to 30 meters)
Image-processing techniques (deconvolution) to improve the quality of captured reflections
slide 14
[Backes et al.]
![Page 15: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/15.jpg)
Experimental Setup
slide 15
[Backes et al.]
![Page 16: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/16.jpg)
Teapots
From 5 meters
From 10 meters
slide 16
[Backes et al.]
![Page 17: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/17.jpg)
Eyeglasses
slide 17
[Backes et al.]
![Page 18: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/18.jpg)
Spoon
slide 18
[Backes et al.]
![Page 19: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/19.jpg)
Plastic Bottle
slide 19
[Backes et al.]
![Page 20: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/20.jpg)
With Better Equipment …
Celestron C9.25 Schmidt-Cassegrain telescope
• Street price: $2000
SBIG ST-10XME camera
• Street price: $6000
Image deconvolution techniques to reduce blur
• Out-of-focus blur
– Large focal lengths & apertures = very shallow depth of field
• Motion blur
• Diffraction blur
slide 20
![Page 21: Side-Channel Attacks: Acoustics and Reflectionsshmat/courses/cs361s/sidechannels.pdf · Frequency information in the sound of typed key can be used to learn which key it is •Observed](https://reader033.fdocuments.in/reader033/viewer/2022051915/6006adecbb850d4f0f5077ac/html5/thumbnails/21.jpg)
… Human Eyes Are Readable
slide 21
[Backes et al.]