Differential audio analysis: a new side-channel attack on PIN pads

Abstract

This paper introduces a low-cost side-channel attack that identifies the pressed key of tamper-proof mechanical keypads by exploiting the sound that emanates from the pressed key. Classical sound-based attacks usually identify the pressed key using the fact that each key emits a characteristic sound. These techniques use, for example, the frequency spectrum to identify the key. Instead, our attack (named DAA—differential audio analysis) analyzes the differential characteristics of the sounds captured by two microphones placed inside the empty space of the device, expressed as the transfer function between the two signals. We applied our attack to four PIN entry devices—also known as PIN pads. Our technique was able to correctly recognize all 1200 keystrokes of two independently tested equipments of the same model, generating a classification rate of 100%. We also attacked the same PIN pads using the classical frequency spectrum technique, obtaining the average classification rate of only 78%. This result shows clearly the superiority of the new technique. Our attack also successfully attacked a second model from another manufacturer, with classification rate of 99.8%. However, some PIN pads do not emit sufficiently audible sound when a key is pressed. Evidently, these devices cannot be attacked analyzing audio emission. We applied our DAA attack to a device of this kind and obtained only 63% of classification success. This result shows that there are models quite vulnerable and models not as vulnerable to our attack. Finally, we present design suggestions in order to mitigate the vulnerabilities that make our attack possible. These vulnerabilities are present in many certified PIN pad models available currently in the worldwide market.