| Title | Feasibility of a Keystroke Timing Attack on Search Engines with Autocomplete |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Monaco, John V. |
| Conference Name | 2019 IEEE Security and Privacy Workshops (SPW) |
| Keywords | autocomplete, browser, Browsers, computer network security, HTTP requests, Human Behavior, human factors, hypermedia, information leakage measurement, keyboard input events, Keyboards, keylogging, keylogging side channel attack, keystroke analysis, keystroke timing attack, Metrics, Mutual information, network traffic, packet inter-arrival times, Presses, pubcrawl, search engine, search engines, search predictions, Servers, Side channel, telecommunication traffic, Timing, Traffic analysis, transport protocols, user query input field, Vulnerability, Web sites, website |
| Abstract | Many websites induce the browser to send network traffic in response to user input events. This includes websites with autocomplete, a popular feature on search engines that anticipates the user's query while they are typing. Websites with this functionality require HTTP requests to be made as the query input field changes, such as when the user presses a key. The browser responds to input events by generating network traffic to retrieve the search predictions. The traffic emitted by the client can expose the timings of keyboard input events which may lead to a keylogging side channel attack whereby the query is revealed through packet inter-arrival times. We investigate the feasibility of such an attack on several popular search engines by characterizing the behavior of each website and measuring information leakage at the network level. Three out of the five search engines we measure preserve the mutual information between keystrokes and timings to within 1% of what it is on the host. We describe the ways in which two search engines mitigate this vulnerability with minimal effects on usability. |
| DOI | 10.1109/SPW.2019.00047 |
| Citation Key | monaco_feasibility_2019 |
Feasibility of a Keystroke Timing Attack on Search Engines with Autocomplete