RefleXnoop: Passwords Snooping on NLoS Laptops Leveraging Screen-Induced Sound Reflection

Password inference attacks by covert wireless side-channels jeopardize information safety, even for people with high security awareness and vigilance against snoopers. Yet, with limited spatial resolution, existing attacks cannot accurately infer password input on QWERTY keyboards in distance, creating psychological safety in using laptops publicly. To refute this false belief, we propose RefleXnoop, enabling an attacker to snoop a victim's typing details on a non-line-of-sight (NLoS) laptop. Apart from passively overhearing keystroke acoustic emanations, RefleXnoop actively probes with ultrasound, whose larger bandwidth and lower noise floor offers a finer resolution. To further maximize its performance, RefleXnoop exploits the laptop's screen reflection to enhance diversity in sound acquisition, and it innovates in neural models to effectively fuse the diversified sound acquisitions and to achieve robust feature-to-key translation. We implement RefleXnoop with commodity hardware and conduct extensive evaluation on it; the results demonstrate that RefleXnoop achieves 85% top-100 accuracy for inferring 8-character passwords on laptop QWERTY-keyboard and in multiple noisy environments.