Feeds

How an ancient printer can spill your most intimate secrets

Needles and pins

Build a business case: developing custom apps

Researchers have devised a novel way to recover confidential messages processed in doctors' offices and elsewhere by analyzing the sounds made when documents are reproduced on dot-matrix printers.

This so-called side-channel attack works by recording the “acoustic emanations” of a confidential document being printed, and then processing it with software that translates the sounds into words. The method recovers as much as 95 per cent of the printed words when an attacker has contextual knowledge about the text being printed, such as the words included in a medical prescription or a living-will declaration. Up to 72 per cent of the text can be recovered when no context is known.

The attack, which so far works only on English text, was carried out under what the researchers described as “realistic — and arguably even pessimistic —– circumstances,” in which there was no shielding from ambient noise such as that made by people chatting in a nearby waiting room. Despite the wide availability of inkjet and laser printers, about 60 per cent of doctors in Germany continue to use dot-matrix devices. About 30 per cent of banks in Germany do so as well, according to the researchers.

Countries such as Germany, Switzerland, and Austria require carbon-copy-capable dot-matrix printers to be used for printing prescriptions for narcotics, they said.

“We have presented a novel attack that takes as input a sound recording of a dot-matrix printer processing English text,” the authors wrote in a paper to be presented this week at the Usenix Security Symposium in Washington, DC. “If we assume contextual knowledge about the text, the attack achieves recognition rates up to 95 per cent.”

The attack was demonstrated by using a Sennheiser MKH-8040 microphone to record the sounds of an Epson LQ-300+II as it printed several articles from Wikipedia, the medical prescription of a fictitious patient, and declarations from a living will. The sounds were then input into software designed to recognize the characteristic sound features of each entry in a large list of English words. The software then translated sounds into the corresponding text.

To increase the software's success rate, the researchers ran the text output through a widely used algorithm known as the Viterbi. Used with speech-recognition technology known as Hidden Markov Model (HMM), it is able to spot errors like the phrase “such of the” and replace it with the words “such as the,” a combination that statistically is much more likely.

“Intuitively, this technology works well for us because most errors that we encounter in the recognition phase are due to incorrectly recognized words that do not fit the context,” the paper states. “By making use of linguistic knowledge about likely and unlikely sequences of words, we have a good chance of detecting and correcting such errors.”

The technique can be used to snoop on the print jobs of a variety of dot-matrix printers. Although it's necessary to train the software to recognize the sounds for each model line, the specific device being targeted need not have ever been encountered before. The “recognition rate only decreases slightly when using a different printer in the training phase,” the researchers said.

They also said it may one day be possible to use similar techniques to recover text processed by more modern printers.

“Ink-jet printers might be susceptible to similar attacks, as they construct the printout from individual dots, as dot-matrix printers do,” the paper states. “On the one hand, the bubbles of ink might produce shock-waves in the air that potentially can be captured by a microphone.” The researchers, however, said they were unable to capture the emanations, most likely because the faint sounds were drowned out by the noise coming from the mechanical parts of the ink-jet printers they tested.

Recognition for the four Wikipedia articles printed averaged an accuracy rate of about 63 per cent when just the input was analyzed and almost 70 percent when the HMM technology was employed. When two known living-will declarations were analyzed using HMM technology that had been finely tuned, the success rate was as high as 95.5 per cent.

The researchers said the most effective countermeasure is to block the sound of a printer using acoustic shielding foam. Their experiments showed that recognition rates drop precipitously if the distance between the printer and microphone is increased. Whereas their results were achieved with a distance of two centimeters, the rate dropped to about four per cent when the distance reached two meters.

Side-channel attacks, in which potentially sensitive data is leaked through emanations in electronic devices, are believed to have been employed as early as World War I, when the Germans spied on French field phone lines. In 1985, the first known attack was published when it was shown that electromagnetic radiation from CRT monitors could be used to reconstruct the words it displayed. The technique has since been used to fashion all kinds of attacks, including jimmying open keyless entry systems used to secure cars, garages, and office buildings.

The researchers are Michael Backes, Markus Durmuth, Sebastian Gerling, Manfred Pinkal, and Caroline Sporleder, members of the computer science and computer linguistic departments of Germany's Saarland University. A PDF of their paper is here. ®

The essential guide to IT transformation

More from The Register

next story
Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
Tip: Put the shades on and you'll look less of a spanner
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
One step closer to ROBOT BUTLERS: Dyson flashes vid of VACUUM SUCKER bot
Latest cleaner available for world+dog in September
Samsung Gear S: Quick, LAUNCH IT – before Apple straps on iWatch
Full specs for wrist-mounted device here ... but who'll buy it?
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Now that's FIRE WIRE: HP recalls 6 MILLION burn-risk laptop cables
Right in the middle of Burning Mains Man week
Apple's iWatch? They cannae do it ... they don't have the POWER
Analyst predicts fanbois will have to wait until next year
Tim Cook in Applerexia fears: New MacBook THINNER THAN EVER
'Supply chain sources' give up the goss on new iLappy
HUGE iPAD? Maybe. HUGE ADVERTS? That's for SURE
Noo! Hand not big enough! Don't look at meee!
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.