QIF-T0101

medium

Multi-modal keystroke inference via acoustic-optical-RF fusion (password/input recovery without mic/camera permissions)

Tier 3 — Demonstrated (Lab-proven)

Legacy status: DEMONSTRATED

Fusion of three independent side channels from a single mobile device to reconstruct user input without requiring microphone, camera, or accessibility permissions. (1) Keystroke acoustic emanations: each key press produces a distinct acoustic signature (1-20 kHz broadband impulse, classifiable via MFCC + CNN at ~95% accuracy on laptops, lower but still viable on touchscreens). (2) Screen optical emission: display luminance changes of ~0.1-1% per character insertion detectable by ambient light sensor at <0.01 lux sensitivity. (3) WiFi CSI: finger movements modulate OFDM subcarrier phase — σ²_phase > threshold indicates keystroke events. Individual channel accuracy: 60-70% acoustic, 40-50% optical, 55-65% WiFi CSI. Fused via CRF/LSTM with temporal cross-correlation alignment: >95% accuracy with 30+ training samples per key. Critical insight: apps requesting speaker + WiFi permissions (trivially granted) achieve side-channel equivalent to camera + microphone (heavily restricted). Permission model does not reflect actual threat.

Technique Details

Tactic: QIF-S.SC
Status: DEMONSTRATED
Bands: S3, S2, S1

✚ Therapeutic Application

Temporal fusion of acoustic keystroke emanations, screen optical luminance changes, and WiFi CSI phase variance to reconstruct typed input including passwords

Clinical Analog

Sensor fusion for motor disorder assessment and digital biomarker collection

Treats

early Parkinson's detection via keystroke rhythm changes (Giancardo et al. 2016)
tremor characterization via mobile phone sensor fusion
cognitive decline monitoring via screen interaction patterns (Vaportzis et al. 2017)
depression screening via touchscreen pressure/timing analysis (Zulueta et al. 2018)
WiFi CSI contactless fall detection in elder care (Wang et al. 2017)

Neural Impact

3 of 7 neural bands affected

S3 S2 S1

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:L/CD:L/CV:P/RV:F/NP:N

CVSS v4.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

1.4Low

Governance

Neurorights at Risk

This technique threatens 2 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy IDA IDA

Consent Complexity

0.40 / 4.0

FDORA §3305 Compliance

Cyber Device

Regulatory Coverage

0.5 / 1.0

524B Requirements

TM VA SBOM SA PM

Regulatory Gaps

! CVSS partially captures risk; neural dimensions missing
! No FDA pathway for consumer sensor exploitation

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population	NISS Base	Adjusted	Severity	Delta
Adult (Default)	1.4	1.4	Low	-
Child (10yr) + ADHD	1.4	1.6	Low	+0.25
Adult with ALS	1.4	1.6	Low	+0.23

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub