Skyping and Typing? Hackers Could Steal Your Keystrokes


The popular video messaging service Skype can be used to record keystrokes, researchers have revealed. The report shared that an attacker can record acoustic emanations of a target's keystrokes, and then reconstruct the text of what was typed. All of that by listening over a VoIP connection.

Hackers could eavesdrop your passwords during Skype calls

The comprehensive report from the University of California Irvine and two Italian universities reveals that an attacker can record the keystrokes during a Skype call and then assemble it as text thanks to acoustic emanations. This is all done without hackers having to control your PC, and simply based on keyboard sounds.

Acoustic emanations of keyboards have already proved to be a privacy issue. However, earlier research focused on an attacker's physical proximity to the victim, profiling victim's typing style. The latest report raises more concerns where a criminal can simply eavesdrop over VoIP to steal keystrokes that a user is typing while using Skype audio.

"Skype is used by a huge number of people worldwide," Gene Tsudik of the UCI said. "We have shown that during a Skype video or audio conference, your keystrokes are subject to recording and analysis by your call partners. They can learn exactly what you type, including confidential information such as passwords and other very personal stuff."

"It’s possible to build a profile of the acoustic emanation generated by each key on a given keyboard. For example, the T on a MacBook Pro ‘sounds’ different from the same letter on another manufacturer’s product. It also sounds different from the R on the same keyboard, which is right next to T," Tsudik added.

While on the Skype calls, we often do several other things, including entering passwords, sending emails, taking notes, and more. Mostly, we are engaged in these calls with our friends and families. However, Skype is largely used in business communications, where we don't necessarily trust the other party. From employee interviews to prospective business clients, there could be several scenarios when someone can engage a victim with the purpose of possibly getting the password.

Researchers warned that this type of attack would reduce the amount of effort an attacker needs to get a target's password as compared to a typical brute-force attack.

The report clarified that keyboards on touch screens aren’t vulnerable to this kind of attack. "Our work is yet another nail in the coffin of traditional physical keyboards that are common in modern laptop and desktop computers. It clearly shows previously unnoticed privacy dangers of using popular VoIP technologies in conjunction with such keyboards," Tsudik added.

Source (PDF)