Can Keyboard Sound Expose Passwords? Experts Say No

John Lister's picture

Researchers say there's a risk that microphones and motion sensors in smartphones could make it possible to figure out information being typed on nearby keyboards. But media headlines that "hackers can work out your password" are a significant stretch.

The research comes from the Darwin Deason Institute for Cyber Security at Southern Methodist University, based in Texas. It stemmed from the thought that smartphones could pick up sound in two ways: not just the sound waves in the air through the microphone, but vibrations such as on a table collected through the motion sensors in the phone.

The testing explored whether these two sources of information would be enough to measure the different noises and vibrations caused by a user typing different keys on a keyboard. In particular, the researchers wanted to see if the use of the vibration and motion sensors would be enough to overcome the "interference" of surrounding conversations that would make relying on the sound waves in the air too difficult.

Tabletop Treachery

In the test, participants were asked to sit at laptops, engage in conversation with others in the room, and type notes of the conversation. This was designed to produce both the necessary typing and unpredictable content to try to detect. A series of mobile phones was placed on each table at varying distances to capture the sounds and vibrations.

The press release for the research says that when asking if it was possible to use this data to figure out what people were typing, "The answer was a definite 'Yes.'" (Source: smu.edu)

A Material Problem

However, the results showed this was far from a total success.

In fact, when it came to figuring out an individual keystroke, the success rate was only 41 percent. When trying to figure out an entire word, that fell to 27 percent. That means it's extremely unlikely an attacker using this method would be able to get a password, which would require every character to be correct unless it's a simple and obvious word. (Source: acm.org)

The big problem was that though the concept was valid, there was too much variation between different set-ups. That means that using the method would likely only be successful if the would-be attacker had advance knowledge both of the specific type of keyboard the victim was using and the material of the surface (such as a metal or wooden tabletop) that the keyboard and phone were placed on.

What's Your Opinion?

Does this study suggest anything to worry about? Is there a risk that attackers could refine this technique? Was this a worthwhile test despite the inconclusive results?

Rate this article: 
Average: 5 (3 votes)

Comments

russoule's picture

It sounds to me the same as most of the other hacking procedures, that is, the hacker requires physical contact with the computer to hack it, unless it is a workstation on a network. Who, in their right mind, would give access to someone to set a cell phone on or near their computer? "Hey Boris. Come on in here and see my new system and put your cell phone near it so you can hack it." (sarc)

Most of these "hacks" are going to be dedicated to an in-house network and passwords can be protected by not leaving them on that in-house network. Don't let Chrome or Edge or any other browser "save" your passwords so they are not available to the hackers who come in over the wires. And don't give access to just anyone who wants to see/use/hack your computer.