Abstract
This paper introduces a low-cost side-channel attack that identifies the pressed key of tamper-proof mechanical keypads by exploiting the sound that emanates from the pressed key. Classical sound-based attacks usually identify the pressed key using the fact that each key emits a characteristic sound. These techniques use, for example, the frequency spectrum to identify the key. Instead, our attack (named DAA—differential audio analysis) analyzes the differential characteristics of the sounds captured by two microphones placed inside the empty space of the device, expressed as the transfer function between the two signals. We applied our attack to four PIN entry devices—also known as PIN pads. Our technique was able to correctly recognize all 1200 keystrokes of two independently tested equipments of the same model, generating a classification rate of 100%. We also attacked the same PIN pads using the classical frequency spectrum technique, obtaining the average classification rate of only 78%. This result shows clearly the superiority of the new technique. Our attack also successfully attacked a second model from another manufacturer, with classification rate of 99.8%. However, some PIN pads do not emit sufficiently audible sound when a key is pressed. Evidently, these devices cannot be attacked analyzing audio emission. We applied our DAA attack to a device of this kind and obtained only 63% of classification success. This result shows that there are models quite vulnerable and models not as vulnerable to our attack. Finally, we present design suggestions in order to mitigate the vulnerabilities that make our attack possible. These vulnerabilities are present in many certified PIN pad models available currently in the worldwide market.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
EMV stands for Europay, MasterCard and Visa, the original developers of the platform that promotes hardware and software standards for electronic payments using smartcards.
PCI-PTS-POI stands for Payment Card Industry - PIN Transaction Security - Point of Interaction, a set of requirements specific for PIN entry devices, proposed by the PCI. Device compliance can be consulted at https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php.
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. http://www.commoncriteriaportal.org.
Most PIN pads can be configured to emit a feedback “beep” when a key is pressed. This sound can be easily identified and removed from the signal, because it begins only after the “click” finishes. If the “beep” sound interferes with the attack (which is unlikely), then this sound can be turned off by the sales clerk (who is supposedly collaborating with the attacker).
The audio level was measured through the iPhone application “Decibel 10th” https://itunes.apple.com/br/app/decibel-10th-professional/id448155923?mt=8.
“There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring–even with the cooperation of the device operator or sales clerk–without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation, as defined in Appendix B.”[22, p. 20].
References
FICO Reports a 70 Percent Rise in Debit Cards Compromised at U.S. ATMs and Merchants in 2016 (2017), http://www.fico.com/en/newsroom/fico-reports-a-70-percent-rise-in-debit-cards-compromised-at-us-atms-and-merchants-in-2016-03-29-2017. Accessed 10 Nov 2017
How the Shift to EMV Is Faring (So Far) (2016) http://www.americanbanker.com/gallery/how-the-shift-to-emv-is-faring-so-far-1080295-1.html. Accessed 3 Jan 2017
Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing, In: Proceedings of IEEE Symposium on Security and Privacy, pp. 281–295 (2008)
Asonov, D., Agrawal, R.: Keyboard acoustic emanations. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 3–11 (2004)
Berger, Y., Wool, A., Yeredor, A.: Dictionary Attacks Using Keyboard Acoustic Emanations. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 245–254 (2006)
Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. 13(1), 3 (2009)
Halevi, T., Saxena, N.: A Closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: Proceedings of ACM Symposium on Information, Computer and Communications Security, pp. 89–90 (2012)
Zhu, T., Ma, Q., Zhang, S., Liu, Y.: Context-free attacks using keyboard acoustic emanations. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 453–464 (2014)
Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., Sporleder, C.: Acoustic side-channel attacks on printers. In: Proceedings of USENIX Security symposium, pp. 307–322 (2010)
Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Proceedings of International Cryptology Conference, pp. 444–461 (2014)
Kuhn, M.G.: Compromising emanations: eavesdropping risks of computer displays. Ph.D. thesis, University of Cambridge (2002)
Kuhn, M.G.: Compromising emanations of LCD TV sets. IEEE Trans. Electromagn. Compat. 55(3), 564–570 (2013)
Marquardt, P., Verma, A., Carter, H., Traynor, P.: (Sp)iPhone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 551–562 (2011)
Faria, G.S., Kim, H.Y.: Identification of pressed keys from mechanical vibrations. IEEE Trans. Inf. Forensics Secur. 8(7), 1221–1229 (2013)
Faria, G.S., Kim, H.Y.: Identification of pressed keys by time difference of arrivals of mechanical vibrations. Comput. Secur. 57, 93–105 (2016)
Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 2. Springer, Berlin (2008)
Faria, G.S., Kim, H.Y.: Identification of pressed keys by acoustic transfer function. In: Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, pp. 240–245 (2015)
Havelock, D., Kuwano, S., Vorländer, M.: Handbook of Signal Processing in Acoustics, vol. 1. Springer, Berlin (2008)
Kay, S.M.: Modern Spectral Estimation. Pearson, New York (1988)
Stoica, P., Moses, R.L.: Spectral Analysis of Signals. Pearson Prentice Hall, New York (2005)
Krebs On Security—Pro-Grade Point-of-Sale Skimmer (2013). http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer. Accessed 5 Mar 2013
Payment Card Industry—Security Standards Council LLC, PIN Transaction Security (PTS) Point of Interaction (POI) Modular Derived Test Requirements v5.0 (2016). https://www.pcisecuritystandards.org/pci_security/dtr (registration required). Accessed 9 Nov 2017
Author information
Authors and Affiliations
Corresponding author
A audio segmentation
A audio segmentation
We segmented the captured audio files by (i) finding N highest peaks of \(\sqrt{l^2(t)+r^2(t)}\) that are separated by at least 200ms, where N is the number of keystrokes in the audio file, and l(t) and r(t) are, respectively, the audio signals of left and right channels; (ii) taking 4096 sample points around each peak, 80% of the samples after the peak position, and 20% before it. We used this simple approach because the audio segmentation is not the main focus of this work. Other techniques can be applied.
Rights and permissions
About this article
Cite this article
de Souza Faria, G., Kim, H.Y. Differential audio analysis: a new side-channel attack on PIN pads. Int. J. Inf. Secur. 18, 73–84 (2019). https://doi.org/10.1007/s10207-018-0403-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-018-0403-7