A team of British researchers has created and trained an artificial intelligence that can guess, with 95% accuracy, the keystrokes of a keyboard just by listening to the sound that is produced when typing, a technique that could mean a new vector of attack for the theft of personal information and that can be complex to stop if basic precautions are not taken.
Until now, the most common way to detect what someone is typing on a keyboard is to use a program known as a keylogger, software that saves a copy of each key pressed to send it to the attacker later. There are many ways to install them surreptitiously, and some are very good at camouflaging themselves, but operating systems or antivirus programs often include tools to detect and remove them.
It is not the first time that the possibility of using the sound produced by the keys when typing has been studied as an alternative to keyloggers, but until now the attempts to achieve it required having a good quality microphone near the keyboard, had less effectiveness or only they were practical on mechanical keyboards, which generally sound louder and more distinctive when typing.
This new system developed by researchers from the University of Durham, Surrey and Royal Holloway, on the other hand, is capable of detecting the keystrokes of a membrane keyboard even during a Zoom call. The effectiveness in that case is reduced to 93%, but it is still high enough to be worrying.
For the study, the researchers used a MacBook Pro computer with the laptop’s built-in keyboard and recorded keystroke sounds with an iPhone 13 held 17 centimeters away or with the computer’s own microphone during a Zoom video call.
Training the machine learning model for other computers or keyboard types, however, is trivial. It is only necessary to press all the alphanumeric keys of the keyboard 25 times to capture the sound that they produce according to the different levels of pressure and the area of contact. From this sample, the algorithm creates the model that makes it possible to find out with a high degree of probability the key that has been pressed just by listening to its distinctive sound.
“Our results show how practical these lateral attacks can be – as attacks that use indirect techniques are known in computer security – using affordable equipment and very simple algorithms,” explain those responsible for the study.
Although the results open the door to new avenues of attack, the authors recommend some basic protection measures, not unlike the idea of hiding your hand when you type a PIN in public.
One of them, for example, is to mix case in passwords, since pressing the caps modifier key introduces enough randomness to the audio recording because the moment at which the pressure on the key is released varies. frequently.
The other alternative, obviously, is to use password managers that enter the codes automatically, touch screens or biometric identification systems.
The authors also recommend that developers of video conferencing applications, such as Zoom or Teams, use software to suppress the sound of the keys when typing in video conferences. “This solution would not only protect against potential attacks, but would also eliminate irritating keystroke sounds for conferees,” they explain.
According to the criteria of The Trust Project