Advertisement

International Journal of Information Security

, Volume 18, Issue 1, pp 73–84 | Cite as

Differential audio analysis: a new side-channel attack on PIN pads

  • Gerson de Souza FariaEmail author
  • Hae Yong Kim
Regular Contribution

Abstract

This paper introduces a low-cost side-channel attack that identifies the pressed key of tamper-proof mechanical keypads by exploiting the sound that emanates from the pressed key. Classical sound-based attacks usually identify the pressed key using the fact that each key emits a characteristic sound. These techniques use, for example, the frequency spectrum to identify the key. Instead, our attack (named DAA—differential audio analysis) analyzes the differential characteristics of the sounds captured by two microphones placed inside the empty space of the device, expressed as the transfer function between the two signals. We applied our attack to four PIN entry devices—also known as PIN pads. Our technique was able to correctly recognize all 1200 keystrokes of two independently tested equipments of the same model, generating a classification rate of 100%. We also attacked the same PIN pads using the classical frequency spectrum technique, obtaining the average classification rate of only 78%. This result shows clearly the superiority of the new technique. Our attack also successfully attacked a second model from another manufacturer, with classification rate of 99.8%. However, some PIN pads do not emit sufficiently audible sound when a key is pressed. Evidently, these devices cannot be attacked analyzing audio emission. We applied our DAA attack to a device of this kind and obtained only 63% of classification success. This result shows that there are models quite vulnerable and models not as vulnerable to our attack. Finally, we present design suggestions in order to mitigate the vulnerabilities that make our attack possible. These vulnerabilities are present in many certified PIN pad models available currently in the worldwide market.

Keywords

Information security Side-channel attack Acoustic emission Transfer function Smart card skimming PCI EMV Pin entry device Common criteria PIN pad 

References

  1. 1.
    FICO Reports a 70 Percent Rise in Debit Cards Compromised at U.S. ATMs and Merchants in 2016 (2017), http://www.fico.com/en/newsroom/fico-reports-a-70-percent-rise-in-debit-cards-compromised-at-us-atms-and-merchants-in-2016-03-29-2017. Accessed 10 Nov 2017
  2. 2.
    How the Shift to EMV Is Faring (So Far) (2016) http://www.americanbanker.com/gallery/how-the-shift-to-emv-is-faring-so-far-1080295-1.html. Accessed 3 Jan 2017
  3. 3.
    Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing, In: Proceedings of IEEE Symposium on Security and Privacy, pp. 281–295 (2008)Google Scholar
  4. 4.
    Asonov, D., Agrawal, R.: Keyboard acoustic emanations. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 3–11 (2004)Google Scholar
  5. 5.
    Berger, Y., Wool, A., Yeredor, A.: Dictionary Attacks Using Keyboard Acoustic Emanations. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 245–254 (2006)Google Scholar
  6. 6.
    Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. 13(1), 3 (2009)CrossRefGoogle Scholar
  7. 7.
    Halevi, T., Saxena, N.: A Closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 89–90 (2012)Google Scholar
  8. 8.
    Zhu, T., Ma, Q., Zhang, S., Liu, Y.: Context-free attacks using keyboard acoustic emanations. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 453–464 (2014)Google Scholar
  9. 9.
    Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., Sporleder, C.: Acoustic side-channel attacks on printers. In: Proceedings of USENIX Security symposium, pp. 307–322 (2010)Google Scholar
  10. 10.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Proceedings of International Cryptology Conference, pp. 444–461 (2014)Google Scholar
  11. 11.
    Kuhn, M.G.: Compromising emanations: eavesdropping risks of computer displays. Ph.D. thesis, University of Cambridge (2002)Google Scholar
  12. 12.
    Kuhn, M.G.: Compromising emanations of LCD TV sets. IEEE Trans. Electromagn. Compat. 55(3), 564–570 (2013)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Marquardt, P., Verma, A., Carter, H., Traynor, P.: (Sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 551–562 (2011)Google Scholar
  14. 14.
    Faria, G.S., Kim, H.Y.: Identification of pressed keys from mechanical vibrations. IEEE Trans. Inf. Forensics Secur. 8(7), 1221–1229 (2013)CrossRefGoogle Scholar
  15. 15.
    Faria, G.S., Kim, H.Y.: Identification of pressed keys by time difference of arrivals of mechanical vibrations. Comput. Secur. 57, 93–105 (2016)CrossRefGoogle Scholar
  16. 16.
    Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 2. Springer, Berlin (2008)CrossRefzbMATHGoogle Scholar
  17. 17.
    Faria, G.S., Kim, H.Y.: Identification of pressed keys by acoustic transfer function. In: Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, pp. 240–245 (2015)Google Scholar
  18. 18.
    Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 1. Springer, Berlin (2008)CrossRefzbMATHGoogle Scholar
  19. 19.
    Kay, S.M.: Modern Spectral Estimation. Pearson, New York (1988)zbMATHGoogle Scholar
  20. 20.
    Stoica, P., Moses, R.L.: Spectral Analysis of Signals. Pearson Prentice Hall, New York (2005)Google Scholar
  21. 21.
    Krebs On Security—Pro-Grade Point-of-Sale Skimmer (2013). http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer. Accessed 5 Mar 2013
  22. 22.
    Payment Card Industry—Security Standards Council LLC, PIN Transaction Security (PTS) Point of Interaction (POI) Modular Derived Test Requirements v5.0 (2016). https://www.pcisecuritystandards.org/pci_security/dtr (registration required). Accessed 9 Nov 2017

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Dept. Eng. Sistemas Eletrônicos, Escola PolitécnicaUSPSão PauloBrazil

Personalised recommendations