'Skype & Type' Attack Shows Feasability Of Acoustic Eavesdropping In VoIP Calls

Security researchers from the University of California, Irvine; the Sapienza University of Rome; and the University of Padua were able to reconstruct the sound of keystrokes as text from Skype voice and video calls. Malicious eavesdroppers could use this method to intercept sensitive and personal information of Skype users.

Acoustic Eavesdropping

Over the past few years, there has been more research into how keystroke sounds could be converted into the text that the surveillance target wrote at the time of the recording. However, those previous demonstrated attacks were not especially practical in the real world, according to the researchers of the current study.

In the previous studies, the attackers would need to be in close proximity to the target. They also needed to have precise profiling of the victim’s typing style and keyboard, as well as a significant amount of the victim’s typed information and its corresponding sounds.

Skype & Type

The researchers developed a new type of practical keyboard acoustic eavesdropping attack, which they called “Skype & Type” (S&T). The idea behind this research was that many people do other activities, such as typing on their keyboards, while they do VoIP (Voice-over-IP) calls.

According to the researchers’ paper, VoIP software can acquire acoustic emanations of pressed keystrokes and then transmit them to others in the call. Normally, this wouldn’t be an issue if you trust the person on the other side of the line, but calls can be intercepted, and the eavesdropper could be capturing the VoIP users’ keystrokes.

An attacker could capture keystrokes this way with an accuracy of 41.89% if there is absolutely no knowledge of the keyboard being used or of the target’s typing style. However, the accuracy goes up to 91.7% if there is some knowledge about the keyboard used and the user’s typing behavior. The researchers also noted that the “Skype & Type” attack is resilient against various bandwidth issues, confirming the feasibility of the attack.

Future Research

The researchers tested the attack only on a few laptops so far, which they thought would be a representative sample. Skype is also likely the most  often used VoIP application on the desktop, so it made sense to test that application first. However, in the future, the researchers plan to use more laptop models to verify whether this attack can work well enough across all laptops.

They also plan to test other applications such as Google’s Hangouts, and also create countermeasures to the attack they've already developed, so Microsoft, Google, and other companies can protect their users from this type of eavesdropping.

This thread is closed for comments
    Your comment
  • targetdrone
    So now there is a security concern that can be used to ban blue switches, other loud keyboards and speaker phones form the office.

  • cats_Paw
    Skype uses resources from your PC when its idle to no point in even keeping it on unless you are using it.
    But yeah, some of this crap is starting to look scary.
  • targetdrone
    151198 said:
    Skype uses resources from your PC when its idle to no point in even keeping it on unless you are using it. But yeah, some of this crap is starting to look scary.

    If I'm understanding this "Eavesdropping attack" correctly the only thing scary about this is the sensationalized media reporting it. Use a voice canceling MICROPHONE and turn the volume just high enough so only YOUR voice is heard, then there is no way for skype(or anything else) to drop eaves on you.

    I remember years ago before LCDs became mainstream and there were similar concerns of being able to reproduce the image on a CRT monitor by the EM radiation it gave off and it was suggested to put the CRT monitor in a Faraday cage of course the fact that in order to do that the person dropping eaves had to be sitting next to you or in the cube directly next to yours.