Keyboard clicks can lead to security hacks

Darth Fanboy · Post by **Darth Fanboy** » 2005-09-22 01:55pm

Linky

Keyboard clicks can lead to security hacks
Last modified: September 14, 2005, 1:46 PM PDT
By Michael Kanellos
Staff Writer, CNET News.com

A new security vulnerability has been discovered: the clickety clack of the keyboard.

An audio recording of an individual's typing can be transposed into a transcript of what was typed, according to researchers with the University of California, Berkeley. The technique works because each key makes a distinct sound when hit, and users, who typically type about 300 characters a minute, leave enough time between keystrokes for a computer to isolate the individual sounds.

The researchers were able to take several 10-minute sound recordings of users typing at a keyboard, feed the audio into a computer, and use an algorithm to recover up to 96 percent of the characters entered.

The technique worked when music or cell phone ringing jangled in the background--and even on so-called quiet keyboards with off-the-shelf recording equipment.

While any sort of typed documents could be pilfered through this technique, the study underscores the vulnerability of passwords, said Doug Tygar, a UC Berkeley professor of computer science and information management, and a principal investigator of the study.

"Passwords are a mechanism for authentication that really need to be rethought," he said. "This is not an esoteric attack. It requires some knowledge of computer science, but it can be done using many components that are freely available...We used $10 microphones."

The work builds on research conducted by IBM's Dmitri Asonov and Rakesh Agrawal that showed how 80 percent of text typed could be recovered from keyboard recordings. Those experiments, however, were tightly controlled.

The results of their findings will be presented Nov. 10 at the Association for Computing Machinery Conference in Alexandria, Va.

The UC Berkeley technique relies on probabilistic computing techniques that underlie search engines. The computer categorizes the sound of each key and takes an educated guess about the character or word that was written. The computer uses both the sound of the keystroke and linguistic conventions to interpret a keystroke as an E after TH rather than a Q when the sound is similar--to come to a conclusion.

The first pass is right about 60 percent of the time for characters and 20 percent of the time for entire words. The transcript is then run through spelling and grammar checks, which increased character accuracy to 70 percent and the word accuracy to 50 percent.

The results are then fed back through the computer to refine future results. After three feedback cycles, the accuracy rate rose to 88 percent for words and 96 percent for characters.

Further experiments will take place. The researchers didn't examine what happens when the Shift, Control, Delete or Caps Lock keys are hit. Mouse actions also raise a major problem.

Soontir C'boath · Post by **Soontir C'boath** » 2005-09-22 02:52pm

I wonder if the crumbs of bread and other food I've eaten over this keyboard will change the way it sound...

bilateralrope · Post by **bilateralrope** » 2005-09-22 03:14pm

Soontir C'boath wrote:I wonder if the crumbs of bread and other food I've eaten over this keyboard will change the way it sound...

Probably, but then they will just need to grab your keyboard so they can refrance it.

Nephtys · Post by **Nephtys** » 2005-09-22 09:41pm

This isn't that new. I've read an account from the mid-late 90's about the FBI watching over some suspect by using one of those laser window microphones, and determining their typing from the clicking. So the CIA's sensative offices use masking equipment also to stop someone else from easilly recording keystroke sounds.

I'll need to find that article again. I think it was in an old issue of Wired.

Davis 51 · Post by **Davis 51** » 2005-09-22 09:50pm

even on so-called quiet keyboards

That's kinda creepy when you think about it.