Typing sounds can be used to determine keystrokes, new research shows -- your keyboard can reveal passwords, even in noisy environments
43% success rate doesn't sound that impressive, but if the same input is recorded multiple times, the rate is likely to improve.
Researchers have found a way (PDF link) to determine keystrokes from the sound of input from keyboards, making PC users vulnerable to hackers. This type of attack can also determine keystroke patterns, even in noisy conditions and has an overall 43% success rate.
The method was tested by collecting unknown keystrokes from a recording of more than 20 people. The attack uses an English dictionary to enhance its text detections and is tested with various environmental acoustics.
Acoustic-based attacks have been extensively investigated by others. Researchers at Cornell used AI to listen to keyboard emissions to determine keystrokes with 95% accuracy, which in this case used a Macbook Pro. The difference is that this attack method is platform agnostic and only needs a device with a microphone to be near a physical keyboard. This could be a smartphone, laptop, or IoT device. What makes this attack more effective is when:
- The recordings contain environmental noise
- The recorded typing sessions for the same target take place on different keyboards
- The recordings were taken using a low-quality microphone
- The target is free to use any typing style
This was discovered by Alireza Taheritajar and Reza Rahaeimehr from Georgia's Augusta University, who published a paper detailing this acoustic side-channel attack method. The attack relies on the sound emissions and the user's typing. Once it captures adequate samples from the targeted user, it correlates the sound patterns with keystrokes, allowing the attacker to retrieve sensitive information such as login credentials.
Multiple Delivery Methods for Acoustic Attack
The delivery of such attack methods can be deployed as malware from websites, browser extensions, apps, cross-site scripting, and compromised USB keyboards. USB input devices can store and deliver malware just like any USB storage drive, as they usually have enough computing capacity and storage to run pre-installed scripts. Keyboards have been known to contain keyloggers installed by manufacturers and sold from websites like Amazon by many companies and drop shippers. Therefore the thought of having an auto-executable attack from keyboards is not far-fetched.
While such attacks could be deterred with quieter keyboards, hacking methods are improved over time and with the success rate of 43%, it shows the feasibility of having such an attack method. Apart from not using a physical keyboard, professional typists can make it extremely difficult as they can type extremely fast and have overlaps between multiple keystrokes, according to the research paper.
However, the research also mentioned in the conclusion intends to use LLMs in its future projects to improve the success rate, further highlighting the potential consequences of AI to compromise digital security.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.
-
Dementoss
They can be stopped stone dead, if like me, you have nothing with a microphone connected to your PC.Admin said:While such attacks could be deterred with quieter keyboards, -
helper800
It would not be just something connected to your PC. Anything with a mic like your phone, Amazon Alexa, et cetera, as long as it can hear the typing from your PC from any device, there is a security risk.Dementoss said:They can be stopped stone dead, if like me, you have nothing with a microphone connected to your PC. -
BillyBuerger
This has nothing to do with QWERTY. It's just listening for the unique signature of each key stroke. If you ever listened to any keyboard typing audio/video, they will something click through different keys as the position in the keyboard produces different sounds even if it's very minute. The layout being used doesn't change the fact that each key will have a slightly different sound that could be used to determine what is being typed.ezst036 said:Probably QWERTY based audio snooping. A good reason to learn Dvorak or Colemak?