Keyboard Sounds May Reveal Secrets

Researchers say they can accurately figure out what somebody is typing from the sound of their keyboard. The "technique" has some significant practical flaws but is a useful reminder of good password practice.

The researchers looked into a theory that seems to get tested every few years: that different keys make different sounds. That's partly because they are differing distances from the device recording the audio and partly because the gaps between pressing different letters may vary depending on the typing style.

The main difference with this latest test was using deep learning, which aims to combine the speed of computers with the reasoning and pattern recognition of humans. This helped develop rules for figuring out the likelihood of a particular keystroke being a particular key. While not entirely clear, it's possible the rules also allowed adjustment of those estimates after each keystroke based on possible words and sequences.

In this case, the researchers say they achieved a 95 percent accuracy rate, which they say is the highest recorded for such a technique. That figure is a statistical measure that takes into account both cases where the software identified the wrong key and cases where the software couldn't make a confident prediction at all. (Source: arxiv.org)

Zoom Calls Could Be Revealing

With the obvious uses being to either capture sensitive information or specifically to get passwords, the real question is what mitigations would happen in the real world. The most obvious is the difficulty in getting the recording in the first place.

The 95 percent figure was from using an iPhone placed near to the keyboard. That's a tactic that isn't technically challenging but does require physical access at some point (and the phone not raising suspicion).

The researchers also tested using recordings from Zoom and Skype calls, which reduced the accuracy to 93 and 91 percent respectively. Of course, that does require the victim to type the relevant information during the call, for example by tricking somebody into logging into an account.

Good News For Touchtypers

The accuracy rates in the 90 percent range might well be enough to figure out the overall content of a lengthy passage of typed text. When it comes to passwords (assuming the scammers could isolate which sequence of keystrokes was the password), most of the usual measures for improving password strength would pay off.

For example, a longer password increases the chances of a misidentified keystroke. Using a "random" sequence of characters rather than a word makes it much harder to spot and correct possible errors. And mixing upper and lower case letters would improve security as the recording technique struggled to isolate the Shift key.

The other big variable with the technique is typing styles. When people typed slowly and used two fingers only, the length of the gap between each keystroke gave more useful information in the sound recording than people who touch-typed quickly. (Source: theregister.com)

What's Your Opinion?

Is there a point to such research? Do you think it's plausible somebody would use this approach for a real attack? Would you do anything differently if you though such attacks were possible?