Side Channel Attacks: Vibrations
Summary
Inspired by DARPA's LADS program, this was an independent study project researching side channel attacks.
Slides from presentation here.
Complexity
A typical mobile device has a sampling rate of about 100Hz. Recording the keystroke vibrations looks like the figure below:
I had set up to record audio from the device mic on a seperate thread at 16kHz. It shows just how much is being missed in the first few moments. There are several distinct phases of a single keystroke
Just about all previous papers that I have read on exploiting accelerometer data uses the "dictionary style" guessing where a large sample set for keystrokes has been created. I've tried some unsupervised learning techniques using that approach with pretty limited success. Mobile devices currently only have a sampling rate of 100Hz, which isn't amazing, producing a pretty noisy signal. Not to mention, keys are pressed at varying magnitudes producing a pretty tremendous range of responses. Reading about Hertzian Impact Theory, the collisions of two bodies seem to be notoriously difficult to model. A finger striking a mechanical keyboard making multiple points of contact with a table produces vibrations I sometimes think are rather arbitrary. Even the position of the keyboard on the table changes things; laying dead center as opposed to right above a leg. Additionally, I haven't been able to find any previous work on how to deal with the problem of reasonance; it might have just been one step outside of scope because its another hurdle. Typing at any reasonable pace creates reasonant vibrations making the signals appear even more indistinguishable.
In taking an unsupervised learning approach, I found that the mean frequencies of a signal in addition to its variance is a fairly good indicator.
For three classes, keys: {A,G,L} roughly evenly spaced, a linear Support Vector Machine performed quite well:
Looking at the spectrum of a few keys shows a general profile among the keysrokes - clearly a keystroke vibration dampens as the signal travels. So this can fundamentally be used to determine one dimension of the keystroke origin.
In taking the averages of each key, the Fourier Transform shows that they are discernable.
Adding additional keys, the classes were less seperable and the predictive capability was poor:
