There are innumerable password hacking methods but recent advances in acoustic and accelerometer sensing have opened up the door to side-channel attacks, where passwords or other sensitive data can be extracted from the acoustic properties of the electronics and human interface to the device. A recent and dramatic example includes the hacking of RSA encryption simply by listening to the frequencies of sound a processor puts out when crunching the numbers.
Now there is a new long-distance hack on the scene. The Cerebrum system represents a recent innovation in side-channel password attacks leveraging acoustic signatures of mobile and other electronic devices to extract password data at stand-off distances.
Research scientists at cFREG provide a compelling demonstration of the Cerebrum prototype. It uses Password Frequency Sensing (PFS), where the acoustic signature of a password being entered into an electronic device is acquired, sent up to the cloud, passed through a proprietary deep learning algorithm, and decoded. Demonstrations and technical details are shown in the video below.
Many of these methods have been shown previously, as explained by MIT researcher T. M. Gil in his iconic paper,
“In recent years, much research has been devoted to the exploration of von Neumann machines; however, few have deployed the study of simulated annealing. In fact, few security experts would disagree with the investigation of online algorithms . STEEVE, our new system for game-theoretic modalities, is the solution to all of these challenges.”
To counter this argument, the researchers at cFREG have taken it to a much higher and far more accurate level.
The Cerebrum team began their work by prototyping systems to increase the range of their device. The first step was to characterize the acoustic analog front end and transducers with particular attention paid to the unorthodox acoustic focusing element:
The improvements are based on the ratio of Net Air-Sugar Boundaries (NASB) using off-the-shelf marshmallows. Temperature probing is integral for calibrating this performance, and with this success they moved on to field testing the long-range system.
Extending the Range
The prototype was tested by interfacing a magnetic loop antenna directly onto the Cerebrum through a coax-to-marshmallow transition. By walking the street with a low-profile loop antenna, numerous passwords were successfully detected and decoded.
War Driving with PFS
To maximize range, additional antenna aperture were added and mounted onto a mobile platform including a log periodic, an X-band parabolic dish, and a magnetic loop antenna to capture any and all low frequency data. In this configuration it was possible to collect vast quantities of passwords out to upwards of ½ of a mile from the vehicle resulting in a treasure trove of passwords.
Without much effort the maximum range and overall performance of the Cerebrum PFS was dramatically increased opening up a vast array of additional applications. This is an existing and troubling vulnerability. But the researchers have a recommended fix which implements meaningless calculations into mobile devices when processing user input. The erroneous sound created will be enough to fool the machine learning algorithms… for now.