Acoustics Emanation Tool

Mechanical PIN-Entry keypads such as the used in secure payment terminals, ATMs, keypad lock on door, etc; can be vulnerable to attacks based on differentiating the sound emanated by different keys. The sound of button clicks can differ slightly from key to key, although the sound of clicks sound very similar to the human hear. Several research studies have demonstrated that it is possible to recover the typed data from the acoustic emanations and has been a known source of concern and present a threat to user privacy; see the References section below.

Besides, keypad emanations are specifically tested in the PCI SSC PTS security-testing process required for the approval of secure payment terminals. The "Monitoring During PIN Entry" testing requirement, verifies that there is no feasible way to determine any entered PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring.

Precisely, these testing requirements lead me to develop the experimental Acoustic Emanations Tool as support to facilitate pre-compliance testing of secure payment terminals with mechanical keypad for PIN-Entry or other similar devices. Also, this development was motivated to introduce me to Deep Learning techniques. 
The tool has an interactive user interface using PyQt5 and has been tailored to facilitate the acquisition of training data. The implemented classification algorithms have been based on Udacity Capstone Project, which applies Deep Learning techniques for automatic environmental sound classification. The initial revision of the tool v0.1, uses Mel-Frequency Cepstral Coefficients (MFCC) for features extraction and a Multi-Layer Perceptrons (MLPs) neural network architecture for classification.    
The tool facilitates the acquisition of the key presses sounds for the training of the neural network and provides the results in the form of a confusion matrix, which will help to determine if the keypad would be vulnerable to eavesdropping and which specific keys may be more easily identifiable.


Tool Installation

The tool is a Python 3.7 application, so in case you have a Python enviroment, you can clone the project from https://github.com/EA4FRB/AcousticEmanations.git and run directly the script: AcousticEmanations.py, available in the src folder. You would need to install all necessary dependences available in requirements.txt file, if not previously installed.

An alternative for Windows OS is to use the provided installer available at https://github.com/EA4FRB/AcousticEmanations/releases. Note that the resulting installation uses a large amount of disk space (around 1.6GB), mainly due to the installation of Tensorflow engine. If you have Tensorflow and Python, you would prefer to launch the tool from Python directly.

Operation

To demonstrate the operation of the tool, I will use a device that it is not intended and not a concern for sensitive data entry, but it will be representative for the tested function. The device is the SARK-110-ULM antenna analyzer, which has nine mechanical buttons for user inputs. The buttons are implemented with metal dome switch technology that provide tactility and audible feedback or "snap", when pressed.
The training data capture must be performed in a quite environment and you should use a good microphone for capturing the audio. Be sure that you have properly configured the sound settings in your computer and perform some tests in advance using e.g. Audacity tool to verify the operation of the setup.  

The first step for starting the capture of training data for a specific device will be to select a folder for storing the data. Select menu <File> <Folder Select> and create or select the appropiate folder using the popup file dialog.  The tool will use this folder as a parent to store the following information:
  • .\wav: the audio files used for training
  • .\metadata: train_data.csv metadata file with the information of the audio files
  • .\saved_models:  features.csv file with the extracted features, and weights.best.basic_mlp.hdf5 saved model file
Now we can start with the recording of the audio samples for every key pressed. We will have to capture multiple training samples for each key. 
For this purpose we have to look at the "Record" group box. For each key, we must enter first a name to identify the key, e.g. 'key1'. The "Index" will be reset to zero everytime that a new key name is entered and will be increased automatically for every key recording. The index can be changed, e.g. in case you notice that the previous recording was not correct. The wav file name will comprise the key name and the index and this is shown in this group box.

For starting the recording of a single key press, press the "Record" button. The recording time will be three seconds and the progress will be shown in the progress bar below. You must press the key during this recording period. If the recording fails for whatever reason, decrease the index value and repeat the recording. 

At the completion of the recording of one key press, the file will be saved and the tool will show a chart with the time domain capture of the key press and a chart with the MFCC. The software automatically scales and trims the leading and trailing silences to focus on the key click. Repeat this process several times for every key and then for all the keys. In this particular example, I have captured 30 recordings for each key (a total of 270 recordings).

Note that you can examine a recorded file at any moment, from menu <File> <Load wave file>.

After completing the recording process, you can run the model to let the "magic" happen. Press the button "Run Model" and after some seconds you will see the results. Note that the results can change slightly if the model is executed several times, because random data is used for testing.


The most important output of the model is the confusion matrix; expressed in normalized form in this case.  The diagonal elements represent the number of points for which the predicted label is equal to the true label, while off-diagonal elements are those that are mislabeled by the classifier. The higher the diagonal values of the confusion matrix the better, indicating many correct predictions, which in turns means that the keypad sounds are not uniform and vulnerable to eavesdropping.
The results in this particular device show that the model will be able to predict key presses with an average accuracy of 80% and keys 8 and 9 can be predicted with a 100% accuracy. These results would disqualify this keypad to be used as a secure keypad.
Another functionality of the tool is to test one recording against the model. Press the "Test" button, select the wav file in the popup file dialog and the tool will show the message box shown below. In this example, I used one of the wav files used for training that classifies as key1 as expected.

Conclusion

This post entry presented the initial revision of the experimental, open source, accoustic emanation tool. This served me as an introduction to deep learning techniques and I expect that will be useful for the validation of keypads used for secure applications.

References

  1. Udacity Capstone Project, https://github.com/mikesmales/Udacity-ML-Capstone
  2. Dictionary Attacks Using Keyboard Acoustic Emanations, https://www.eng.tau.ac.il/~yash/p245-berger.pdf
  3. Keyboard Acoustic Emanations, https://rakesh.agrawal-family.com/papers/ssp04kba.pdf
  4. A Closer Look at Keyboard Acoustic Emanations: Random Passwords, Typing Styles and Decoding Techniques, https://eprint.iacr.org/2010/605.pdf

Comments

Post a Comment

Popular posts from this blog

Software arsenal for the HackRF One

Image
HackRF One , from Great Scott Gadgets, is a Software Defined Radio (SDR) capable of transmission or reception of radio signals from 1 MHz to 6 GHz, supporting sample rates up to 20 Msamples per second. This is a powerful tool for radio experimentation, it is cheap, and compared to cheap RTL SDR dongles, it has the capability of transmit. There are tons of information in the web about this device and SDR in general and I suggest to start with the wiki , but it is not that easy to identify what software would be the more adequate to the particular needs and the specific issues for installing on Windows platform. I expect that this post would help you on this. Note that you are responsible for using your HackRF One legally! Zadig The first step for using HackRF One on a Windows computer, will be installing the required USB drivers using Zadig application. Downlad Zadig (note that SDR# Community Installer already includes it) and follow the instructions below: (1) Connect th
Read more

Simple impedance meter project with STM32F4 Discovery board

Image
This post describes an experimental software-based impedance meter project that uses the STM32F4 Discovery board with very few additional components. The meter operates at a fixed exciting sinusoidal frequency of 59659 Hz, and it is capable to measure the impedance vector of a load, i.e. its resistance and reactance. A measurement is initiated by the user by pressing the blue button of the board and the readings are output to a terminal emulator program through the USB interface. The measurement principles are based on the article "An LMS Impedance Bridge – QEX Sept/Oct 2015" from Dr. George R. Steber. The project and source code is available at the following link . It is assumed that the reader has background in the STM32 environment. Overall operation The block diagram of the illustration below shows the basic building blocks of the meter. The capacitor and resistor in addition to the interconnection elements, are the only external components required. Howeve
Read more