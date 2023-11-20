Gautam is the CTO of Hazari secura.id And a mobile identity guru. He holds several technology patents and plays 11 musical instruments.

Imagine that you are sitting in a café and drinking coffee expertly prepared by the barista. Putting your laptop on the table in front of you, you open the screen and look around to see if anyone is “shoulder surfing.” Then, you open your email client, type your user ID and password on the keyboard and start reading your email. You didn’t notice someone a few tables behind you looking at their phone. Why would you care? A few minutes later, you turn off your screen and focus your attention on your coffee—after all, you don’t want it to be cold. But while you’re enjoying a sip, something is happening—someone is accessing your email and initiating password resets for your bank and social media accounts. Account takeover action is underway.

How did this happen? No, it wasn’t someone accessing your laptop or looking at your Wi-Fi connection. Do you remember the guy a few tables back looking at his phone? The microphone on that person’s phone was “listening” to your keyboard keystrokes and transmitting those sounds to a trained deep-learning model, which revealed the password you typed.

This is an SCA. No, this is not strong customer authentication—it’s actually the opposite. This is a side-channel attack – specifically, an acoustic side-channel attack, as researchers at Durham University, the University of Surrey and Royal Holloway University of London identified in a 2023 paper titled, “A Practical Deep learning-based acoustic side channel keyboard attack.

SCA occurs when signals from a device are collected and interpreted to extract the mystery. Signals can range from electromagnetic waves or power consumption to sound waves. The interesting thing about side-channel attacks is that they do not require connectivity or direct access to a device. An acoustic SCA uses sound waves from a device – in the above case, the sound strokes of a keyboard.

Researchers at the university previously noted that the sounds of a laptop’s 36 keys (numbers zero to nine and letters “A” to “Z”) were recorded by pressing each key with different pressures and at different times. Pressing was done 25 times using fingers. This was then used to extract and isolate individual keystrokes. After some additional processes of feature extraction and data augmentation, the data was used to train a deep-learning model—CoAtNet. The result was 95% accuracy in identifying key presses and extracting passwords.

It doesn’t stop there – that person doesn’t have to sit a few tables behind you in that café. The same attack can also be carried out remotely by eavesdropping on a Zoom call with 93% accuracy. And “listening to passwords” can also be done through our own mobile phone through an infected application with access to the microphone.

It goes even further. With IoTh – the “Internet of Thoughts” – signals used in side-channel attacks can also include “brain signals,” even just Thinking The password allows attackers to steal it!

How do we protect ourselves? How do we solve this? One answer is to stop using passwords, which clearly have many vulnerabilities that fail to protect us and our data.

Let’s take a more closer look at their smartphones – specifically, their SIM cards – to provide a solution. Mobile networks use cryptographic signatures from the SIM via a unique key to authenticate the user’s identity without asking for additional information from the user, making it more intuitive and secure than many other authentication methods.

This SIM-based authentication method has been in use by mobile networks for the past three decades and may continue to be used to replace passwords, which have time and again failed to protect our data and identities. Plus, SIM is a highly inclusive technology that provides the same level of security and protection no matter what device the user is using – from high-end, expensive smartphones to simpler, more affordable devices.

I urge you to help make the world passwordless. Let’s harness the security superpower of SIM to make the digital world a safer place.

