Computer scientists at the University of California, Berkeley, have uncovered a new security threat: a simple audio recording of keyboard clicks could betray the text you just entered, from passwords to secret love notes.
They are calling it “acoustical spying.” Researchers were able to take several 10-minute sound recordings of users typing at a keyboard, feed the audio into a computer, and use an algorithm to recover up to 96 percent of the characters entered.
“It’s a form of acoustical spying that should raise red flags among computer security and privacy experts,” said Doug Tygar, UC Berkeley professor of computer science and information management and principal investigator of the study. “If we were able to figure this out, it’s likely that people with less honorable intentions can — or have — as well.”
What makes the technique feasible is that each keystroke makes a relatively distinct sound, however subtle, when hit. Typical users type about 300 characters per minute, leaving enough time for a computer to isolate the sounds of individual keystrokes and categorize the letters based upon the statistical characteristics of English text. For example, the letters “th” will occur together more frequently than “tj,” and the word “yet” is far more common than “yrg.”
“Using statistical learning theory, the computer can categorize the sounds of each key as it’s struck and develop a good first guess with an accuracy of 60 percent for characters, and 20 percent for words,” said Li Zhuang, a UC Berkeley Ph.D. student in computer science and lead author of the study. “We then use spelling and grammar checks to refine the results, which increased the character accuracy to 70 percent and the word accuracy to 50 percent. The text is somewhat readable at this point.”
But that’s not all. The recording is then played back repeatedly in a feedback loop to “train” the computer to increase its accuracy until no significant improvement is seen. In the UC Berkeley experiments, three feedback cycles were often enough to obtain recovery rates of 88 percent for words and 96 percent for characters.
Once the system is trained, recovering the text became more straightforward, even if the text was a password and not an English word. After just 20 attempts, the researchers were able to retrieve 90 percent of five-character passwords, 77 percent of eight-character passwords and 69 percent of 10-character passwords.
There are limitations to the technique, however. The researchers pointed out that they did not use the Shift, Control, Backspace or Caps Lock keys for their experiments, but describe approaches for training a program to account for those keystrokes as well. The ability to account for use of a computer mouse will be more challenging, the researchers said.
Nevertheless, the findings highlight a security hole that could be exploited and should be investigated, the researchers said. “The message from this study is that there is no easy escape from this acoustic snooping,” said Tygar. “The type of keyboard you use doesn’t matter, your typing proficiency doesn’t matter and the background noise can be overcome.”
So what’s a typist to do? Theodore Svoronos, Vice President of E-commerce Solutions for StrikeForce Technologies, told TechNewsWorld that fraudsters are always going to find new ways to obtain people’s information online. Acoustical spying is just the latest method.
“The whole point is this. Technology is built because there’s been some sort of breach,” Svoronos said. “There will be a technology that will be built to stop the acoustical situation, but eventually something else will come down the pipe. The goal should be to stop the breach before it happens.”
Stopping the sound spies, like stopping other forms of identity theft, boils down to splitting the pathways, Svoronos said. Splitting the pathways is sending users’ passwords over a channel that’s separate from the standard channel of user name and password boxes.
Whether the fraudster is keystroke logging or recording the sound of keys clicking or IP sniffing, if you don’t put the user ID and the password together, the fraudster can’t get what he needs.
“Split the pathways. Then the data is rendered useless to the fraudster,” Svoronos said. “It’s too late once the horse gets out of the barn to build a better barn door. We want to make sure the horse is safe while he’s out there.”