19

I've been thinking about this for a while; I know people are aware of wireless wiretapping of keyboards. However, has there been research on how to wiretap keyboards based on typing patterns? I'm thinking whether microphones can be used to build a model of typing patterns to extrapolate what someone is typing on a keyboard.

Ztyx
  • 334
  • 1
  • 2
  • 10
  • Funny thought, but I can only imagine the length of the _enrolment period_, i.e. collecting reliable data on each key-press, to have something reasonably good to compare with the recording. – Henning Klevjer Oct 29 '12 at 08:54
  • Not as far I as know, I can see there being numerous technical problems that would make it difficult to do: background noise, multiple keyboards of the same model making the same noise. You'd have to do it in laboratory conditions first to eliminate these factors before trying it in the wild. – GdD Oct 29 '12 at 09:03
  • 3
    This *has* been studied. I remember reading a paper on it, and seeing it done in a video. It works reasonably well in ideal conditions, but it's very flaky in reality. I'll try to dig out the links. – Polynomial Oct 29 '12 at 09:24
  • Install microphone, exchange some emails with victim, sync voice records with email, build database with "known plaintext" samples. I believe this should work pretty OK. Unless this is just me typing some words in specific, repeatable manner. – lubas Oct 29 '12 at 09:46
  • I have no doubt that it's theoretically possible, it just doesn't sound practical when there are so many other ways to get this kind of data – GdD Oct 29 '12 at 10:46
  • 1
    It's been done since the 1950s http://en.wikipedia.org/wiki/Acoustic_cryptanalysis – Lev Bishop Oct 29 '12 at 14:12
  • A relatively trivial google search turns up 12,900,000 results, including the following : 1. [Wikipedia](http://en.wikipedia.org/wiki/Keystroke_dynamics) 2. [A presentation at blackhat](http://reviews.cnet.com/8301-10921_7-6624287-4.html) 3. [Continuous identity verification through keyboard biometrics](https://sa.rochester.edu/jur/issues/fall2005/ordal.pdf) – MCW Oct 29 '12 at 10:32
  • 1
    @MarkC.Wallace Your answer has been converted to a comment. Please don't write answers with only links. In a few years time, someone would come back to it and find that the links are dead and your answer is devoid of useful content. If you're going to write answers based on links, you **must** include appropriate excerpts of content, and you **should** include your own opinion and interpretation of the content. – Polynomial Oct 29 '12 at 16:31

5 Answers5

15

In a similar vein, but slightly different. Rather than using audio recordings this link shows that you can point a laser at the back of a laptop monitor and determine what is being typed based on the vibrations of the screen.

Here is the original presentation slides

Colin Cassidy
  • 1,880
  • 11
  • 19
15

This is known as "Acoustic Keyboard Eavesdropping". In 2004 Dmitri Asonov and Rakesh Agrawal from IBM published a paper (pdf) that describes such an attack. The following is the abstract of that paper:

We show that PC keyboards, notebook keyboards, telephone and ATM pads are vulnerable to attacks based on differentiating the sound emanated by different keys. Our attack employs a neural network to recognize the key being pressed. We also investigate why different keys produce different sounds and provide hints for the design of homophonic keyboards that would be resistant to this type of attack.

Berkeley researchers reached similar results in a paper published in 2005 (pdf). The following is taken from the abstract of that paper:

We examine the problem of keyboard acoustic emanations. We present a novel attack taking as input a 10-minute sound recording of a user typing English text using a keyboard and recovering up to 96% of typed characters. There is no need for training recordings labeled with the corresponding clear text. A recognizer bootstrapped from a 10-minute sound recording can even recognize random text such as passwords: In our experiments, 90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts by an adversary. In the attack, we use the statistical constraints of the underlying content, English language, to reconstruct text from sound recordings without knowing the corresponding clear text.

PlsWork
  • 103
  • 3
David Wachtfogel
  • 5,522
  • 21
  • 35
3

The motion sensor in a mobile phone can be used to wirelessly tap a keyboard by placing the phone close to the keyboard. A similar and clever approach to your suggestion.

I believe it's discussed in this TED talk: http://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked.html .

Opflash
  • 151
  • 2
2

"Skype&Type" is a research project among three universities, which explores a keyboard acoustic eavesdropping attack:

VoIP software acquires and faithfully transmits all sounds, including emanations of pressed keystrokes, which can include passwords and other sensitive information.

This acoustic information from keyboard's noise is used by S&T in order to understand what has been typed on the victim's keyboard. The following figures depict a possible S&T scenario: first, the attacker and the victim VoIP call each other (in our example, a Lawyer's firm as victim, and our Research Group as attacker). Then, the victim proceeds to inadvertentely type sensitive information during the call (in our example, their Gmail ID and password). With the keyboard noise collected through VoIP, the attacker is then able to recover the full typed text of the victim.

There's an open source GUI tool that uses the microphone to capture keyboard noise and guess keyboard keys.

Smartphones with accelerometers have also been used to interpret the vibrations sent by typing.

Dan Dascalescu
  • 1,955
  • 2
  • 15
  • 24
1

There's a paper on the topic "Keyboard Acoustic Emanations Revisited" available here: https://people.eecs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/TISSEC.pdf

We present a novel attack taking as input a 10-minute sound recording of a user typing English text using a keyboard and recovering up to 96% of typed characters. There is no need for training recordings labeled with the corresponding clear text.

Once the model is trained, it can even be used for recognising random strings like passwords, although it won't do numbers, and is relatively limited on punctuation.

rjmunro
  • 121
  • 3