Timing Attacks on PIN Input in VoIP Networks (Short Paper)

  • Ge Zhang
  • Simone Fischer-Hübner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


To access automated voice services, Voice over IP (VoIP) users sometimes are required to provide their Personal Identification Numbers (PIN) for authentication. Therefore when they enter PINs, their user-agents generate packets for each key pressed and send them immediately over the networks. This paper shows that a malicious intermediary can recover the inter-keystroke time delay for each PIN input even if the standard encryption mechanism has been applied. The inter-keystroke delay can leak information of what has been typed: Our experiments show that the average search space of a brute force attack on PIN can be reduced by around 80%.


Hide Markov Model Packet Loss Timing Attack Interactive Voice Response Brute Force Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Automated Telephone Payments. visited at 15th-Nov-2010,
  2. 2.
    TCPDump. visited at 20th-July-2010,
  3. 3.
    X-Lite. visited at 18th-July-2010,
  4. 4.
    Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The Secure Real-time Transport Protocol (SRTP). RFC 3711 (2004)Google Scholar
  5. 5.
    Hogye, M.A., Hughes, C.T., Sarfaty, J.M., Wolf, J.D.: Analysis of the feasibility of keystroke timing attacks over ssh connections, technical report (2001)Google Scholar
  6. 6.
    Foo Kune, D., Kim, Y.: Timing attacks on pin input devices. In: Proceedings of CCS 2010, USA, pp. 678–680. ACM Press, New York (2010)Google Scholar
  7. 7.
    Rabiner, L.R.: Readings in speech recognition. In: Chapter A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition, pp. 267–296. Morgan Kaufmann Publishers Inc., San Francisco (1990)Google Scholar
  8. 8.
    Reynolds, R.J.B., Rix, A.W.: Quality voip: An engineering challenge. BT Technology Journal 19, 23–32 (2001)CrossRefGoogle Scholar
  9. 9.
    Schulzrinne, H., Casner, S., Frederick, R., Jacobson, V.: RTP: A transport protocol for real-time applications. RFC 3550 (2003)Google Scholar
  10. 10.
    Schulzrinne, H., Taylor, T.: RTP Payload for DTMF Digits, Telephony Tones, and Telephony Signals. RFC 4733 (2006)Google Scholar
  11. 11.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proceedings of SSYM 2001. USENIX Association, Berkeley (2001)Google Scholar
  12. 12.
    International Telecommunication Union. Technical features of push-button telephone sets. ITU-T Recommendation Q.24 (1988)Google Scholar
  13. 13.
    Zhang, K., Wang, X.: Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. In: Proceedings of SSYM 2009, Berkeley, CA, pp. 17–32. USENIX Association (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ge Zhang
    • 1
  • Simone Fischer-Hübner
    • 1
  1. 1.Karlstad UniversitySweden

Personalised recommendations