Acoustic Side Channel Attack on ATM KeypadsVinayak Ranade, Jeremy Smith, Ben SwitalaMay 14, 2009Contents1 Introduction and Problem Statement 22 Goals 23 Frequency Analysis 34 Triangulation 44.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54.2 Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54.3 Reference in Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Peak Detection 75.1 Waveform Chopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75.2 Pseudolocal-max Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.3 Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Results 106.1 Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106.2 Triangulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Contributions and Discussion 108 Acknowledgements 1111 Introduction and Problem StatementAudio emanated by a device serves as a potential vulnerability for side channel attacks. Thisis not unexpected, as there are documented acousted attacks against computers [2]. Thispaper and others like it operate off the simple fact that computers make noise: the CPU fanwhirs, the hard drive grinds, and the keyboard clicks. In this project, we aimed to extendthis rational from computers to other devices. In particular, we sought out to make a systemin an affordable way that can determine what is being typed on an ATM keypad.There are two basic premises off which our work is based. First, each key makes a differentsound and intelligent software can consistently distinguish between these sounds. Second,each key has a distinct location on the keypad, and by triangulating with two microphones,a smart program can tell which key was pressed. We examined both attacks in our projectand were able to achieve some great results. With the triangulation method, we were ableto distinguish between 4 keys with 87.5% accuracy.Our project’s implications are substantial. In general, security depends on a users’ pass-word being known only to that user; and ATMs’ security depend on content entered beingconfidential. If keys can be distinguished merely by listening, an attacker can unexpectedlysteal PINs and and other secure information entered at an ATM (e.g. what type of accountis linked to a debit card, how much money is being withdrawn, etc). Of course, the actualATM card is also required in order for the PIN number to be useful while using an ATM,however these days the same PIN numbers are often also used in online banking.Further, the fact that this project was achieved with relatively inexpensive resources (afew modern laptops and inexpensive microphones), highlights the danger of this vulnerabil-ity; imagine the accuracy of a system made with more sophisticated technology and moredeveopment time. A possible result of this project is to alert banks of this vulnerability andencourage them to take precautions. Alternatively, it opens the possibility of producing amarketable device that could interfere with ATM keypad noise.2 GoalsWe set out with the following goals:1. Analyze the feasibility of identifying keys using naive frequency analysis2. Analyze the feasibility of identifying keys using naive triangulation3. Determine whether it is possible to use one or both of these methods in a practicalsetting4. Do all our experiments using a low budget, and only with home-brewed softwareWe used the following checkpoints in order to reach our goals:1. Gather audio data for frequency analysis22. Implement a naive frequency comparator3. Gather audio data for triangulation4. Implement a naive triangulation routine5. Gather samples of unknown key sequences6. Compare the efficiency of frequency analysis and triangulation7. Choose whichever method performed better and try to increase its accuracy3 Frequency AnalysisChoosing good, relevant features of keystroke data is critical to differentiating between keys.Such features should be consistent for individual keystrokes; the feature should appear eachtime a given key is pressed. Such features should also be unique; they should vary from key tokey. Extensive previous work shows that the best features for speech or speaker recognitionare in the frequency domain, not the time domain [1]. Intuitively, the differences betweenfrequency responses of different keypresses comes from the physical location of keys on thekeyboard. Like a drum, different locations on the keyboard resonate at different frequencies.These graphs show how different keys look practically the same in the time domain, butquite different in the frequency domain.Figure 1: Time and Frequency representations of sound data from pressing Keys “1” (left)and “3” (right).3Looking at the frequency responses of various keys confirmed that the desired featureswere best found in the frequency domain. Thus, the plan was to Fourier transform clips ofindividual keypresses, and then compare those fourier-transformed signals to each other.The question, then, is how to compare frequency responses of different keys. As shownin their paper, Agrawal and Asonov used a neural net to black box this comparison. Wechose, however, to directly compare the frequency responses, and we tried a variety of waysto compare signals.• Sum of squared differences. Given two arrays of FFT’d keystrokes, the differenceof each corresponding FFT value was squared and added to a cumulative sum. Lowersums meant a better match.• Peak alignment. Given two arrays and one of various peak detection schemes, thearrays would be aligned at the peaks, and then sum of squared differences was thenperformed. The goal here was to minimize needless error resulting from skew.• Sliding. One array was slid over the other array, and for each slide the sum of squareddifferences was taken.• Windowing. The arrays were divided into windows, and each window was slid overits corresponding window, again taking sum of squared differences at the end.• Convolution. The two arrays were convolved, and the index of the maximum valuewas then used as an offset to find where the two arrays best lined up. This is nearly arepeat of the peak alignment method, but with greater mathematical basis for believingthat this method results in a logical comparison of signals.The compare method was then used to compare unknown keypresses to our known train-ing
View Full Document
Unlocking...