Gautam is the Chief Technology Officer of Hazari secura.id and an expert in mobile identities. He holds multiple technology patents and is skilled in playing 11 musical instruments.Thank you for reading this post, don't forget to subscribe!
Picture yourself at a café, savoring a meticulously brewed cup of coffee. Placing your laptop on the table, you glance around to ensure nobody is peeking over your shoulder. Then, you proceed to open your email client, enter your user ID and password, and begin reading your emails. Unbeknownst to you, someone a few tables away is covertly observing. Unconcerned, you later shut your laptop and focus on enjoying your coffee, oblivious to the covert activity occurring—fraudulent access to your email and unauthorized password resets for your banking and social media accounts are in motion. The security of your accounts is under attack.
How did this occur? It wasn’t due to someone infiltrating your laptop or intercepting your Wi-Fi connection. Remember the individual at the nearby table engrossed in their mobile phone? The microphone on their phone was clandestinely capturing the sound of your keystrokes, which were then transmitted to a sophisticated deep-learning model, revealing the password you entered.
This represents a side-channel attack. No, it’s not robust customer authentication; rather, it’s the antithesis. This is an acoustic side-channel attack, as underscored by researchers in a 2023 paper titled “A Practical Deep learning-based acoustic side-channel keyboard attack,” published by Durham University, the University of Surrey, and Royal Holloway University of London.
An SCA transpires when signals from a device are intercepted and analyzed to extract sensitive information. These signals can encompass electromagnetic waves, power consumption, or sound waves. What makes side-channel attacks intriguing is the absence of a prerequisite for connectivity or direct device access. An acoustic SCA leverages the sound waves emitted by a device, such as the keyboard strokes in the aforementioned scenario.
The university research team meticulously recorded the sounds produced by pressing the 36 keys on a laptop (including numbers zero through nine and letters A to Z), employing varying pressure and timing during 25 keystrokes using a range of fingers. Subsequently, they isolated individual keystrokes and applied additional processes such as feature extraction and data augmentation. This dataset was utilized to train a deep-learning model—CoAtNet—which astonishingly achieved a 95% accuracy rate in identifying key presses and extracting passwords.
Moreover, this threat is not confined to proximity; it can be executed remotely, with a 93% accuracy rate in eavesdropping during a Zoom call. Furthermore, malevolent parties can surreptitiously “eavesdrop” on passwords via an infected mobile application accessing the microphone.
It doesn’t end there—side-channel attacks are evolving to encompass IoTh (Internet of Thoughts), exploiting “brain signals” to pilfer passwords, even when they are merely contemplated. How can we fortify ourselves against this? How can we counter this menace?
One solution lies in relinquishing the use of passwords, which manifest an array of vulnerabilities that inadequately safeguard our data and identities. Instead, let’s direct our attention to smartphones and, more precisely, their SIM cards, as a viable solution. Mobile networks leverage cryptographic signatures from SIM cards, authenticated with a unique key, to verify a user’s identity without necessitating additional input, rendering it more intuitive and secure than many prevalent authentication methods.
This SIM-based authentication methodology has been entrenched in mobile networks for three decades and could supplant passwords, which have frequently proved insufficient in safeguarding our data and identities. Additionally, SIM technology is inherently inclusive, extending consistent security and protection across diverse devices, from high-end, premium smartphones to more modest, affordable devices.
I implore you to contribute to the transition to a passwordless world. Let us capitalize on the formidable security capabilities of SIM technology to foster a safer digital realm.
The Forbes Technology Council is a select community comprising top-tier CIOs, CTOs, and technology executives. Am I eligible?