openssh unix dev - Aug 2023 - Packet Timing and Data Leaks

On Mon, 7 Aug 2023, Chris Rapier wrote:
> Sorry for top posting but I'm on my phone. My colleague just sent me
> this. https://www.theregister.com/2023/08/07/audio_keystroke_security/
> I don't know how relevant this is as of yet but based on a quick
> reading it seems related.?
AFAIK using audio is a much easier target, as each key probably has
some acoustically-unique signal to define it in addition to the
inter-keystroke timing signal.

The linked paper says 5.7 bits of password entropy can be recovered by timing
data; while the brute-force time will have changed in 22 years, this number
should still be valid.

An easy workaround is to use a password manager (a plain file as a minimum) and
to copy/paste passwords in - though that might violate other security
preferences.

On 8/7/23 10:14 PM, Damien Miller wrote:
> On Mon, 7 Aug 2023, Chris Rapier wrote:
> 
>> Sorry for top posting but I'm on my phone. My colleague just sent
me
>> this. https://www.theregister.com/2023/08/07/audio_keystroke_security/
>> I don't know how relevant this is as of yet but based on a quick
>> reading it seems related.
> 
> AFAIK using audio is a much easier target, as each key probably has
> some acoustically-unique signal to define it in addition to the
> inter-keystroke timing signal.
I still have to read through the paper in more detail (reading a PDF on 
my phone was less than optimal) to get more detail on how they did it. 
It could be acoustic signals based on minute variations in each key. On 
my cursory read it seemed like a lot of Deep Learning special sauce 
thrown on top without enough details to really know what they were 
really doing.

I might just write the authors and see what they have to say.

Chris