SoK: Keylogging Side Channels

Abstract

The first keylogging side channel attack was discovered over 50 years ago when Bell Laboratory researchers noticed an electromagnetic spike emanating from a Bell 131-B2 teletype terminal. This spike, emitted upon each key press, enabled up to 75% of plaintext communications to be recovered in field conditions. Since then, keylogging attacks have come to leverage side channels emanating from the user's finger and hand movements, countless keyboard electromagnetic and acoustic emanations, microarchitectural attacks on the host computer, and encrypted network traffic. These attacks can each be characterized by the type of information the side channel leaks: a spatial side channel reveals physical key locations or the similarity between key pairs, and a temporal side channel leverages key press and release timings. We define and evaluate the performance of idealized spatial and temporal keylogging side channels and find that, under the assumption of typing English words, nontrivial information gains can be achieved even in the presence of substantial measurement error. For temporal side channels, we find that the information gained by different temporal features strongly correlates to typing speed and style. Finally, to help drive future research, we review the current state-of-the-art keylogging side channel attacks and discuss some of the mitigation techniques that can be applied.