September 14, 2005 1:46 PM PDT

Keyboard clicks can lead to security hacks

A new security vulnerability has been discovered: the clickety clack of the keyboard.

An audio recording of an individual's typing can be transposed into a transcript of what was typed, according to researchers with the University of California, Berkeley. The technique works because each key makes a distinct sound when hit, and users, who typically type about 300 characters a minute, leave enough time between keystrokes for a computer to isolate the individual sounds.

The researchers were able to take several 10-minute sound recordings of users typing at a keyboard, feed the audio into a computer, and use an algorithm to recover up to 96 percent of the characters entered.

Related story
New-age keyboard: Trace, don't write
IBM comes up with input method that lets people create text without typing.

The technique worked when music or cell phone ringing jangled in the background--and even on so-called quiet keyboards with off-the-shelf recording equipment.

While any sort of typed documents could be pilfered through this technique, the study underscores the vulnerability of passwords, said Doug Tygar, a UC Berkeley professor of computer science and information management, and a principal investigator of the study.

"Passwords are a mechanism for authentication that really need to be rethought," he said. "This is not an esoteric attack. It requires some knowledge of computer science, but it can be done using many components that are freely available...We used $10 microphones."

The work builds on research conducted by IBM's Dmitri Asonov and Rakesh Agrawal that showed how 80 percent of text typed could be recovered from keyboard recordings. Those experiments, however, were tightly controlled.

The results of their findings will be presented Nov. 10 at the Association for Computing Machinery Conference in Alexandria, Va.

The UC Berkeley technique relies on probabilistic computing techniques that underlie search engines. The computer categorizes the sound of each key and takes an educated guess about the character or word that was written. The computer uses both the sound of the keystroke and linguistic conventions to interpret a keystroke as an E after TH rather than a Q when the sound is similar--to come to a conclusion.

The first pass is right about 60 percent of the time for characters and 20 percent of the time for entire words. The transcript is then run through spelling and grammar checks, which increased character accuracy to 70 percent and the word accuracy to 50 percent.

The results are then fed back through the computer to refine future results. After three feedback cycles, the accuracy rate rose to 88 percent for words and 96 percent for characters.

Further experiments will take place. The researchers didn't examine what happens when the Shift, Control, Delete or Caps Lock keys are hit. Mouse actions also raise a major problem.

4 comments

Join the conversation!
Add your comment
Keyboard monitoring leads to new businesses?
Will keyboard manufacturers now tout the silence, or determined randomness, of their keyboard clicks? Will all keyboards sprout speakers, to drown out the keyboard clicks?

The possible paranoia reminds me of the movie Enemy of the State.

That said, it's still pretty cool that these patterns both exist and can be monitored.
Posted by pencoyd (82 comments )
Reply Link Flag
Interesting concept
Read both comments (two existed when I read... one included a quip about [movie (?}] Enemy of the State and the other pertaining to passwords (I think that one's subject line read "Doubtful")...

In any instance, both comments and the article have been informative in how/why you guys (?) are thinking. As for me (for whatever it's worth), this is stuff I've already thought about (give or take... I've never seen Enemy of the State) and given that I'm a person who's invented a cure for eczema and am currently working on getting business partners and FDA approval, you folks may realize that security issues/passwords & whatnot are not likely to come into play for me... why you might ask? I go through lawyers (when needed) and am not afraid of purchasing an old Underwood computer (*heh* little joke here... Underwood _TYPEWRITER_ such as Andy Rooney of 60 minutes has on his desk... or at least used to have) to circumvent password (and other)) hackers. Business-wise, I keep 99% of my information in my head anyhow. (not a bad thing to do given ramifications of companion stories such as "Intelligence in the Internet age" (published September 19th, 2005 @ 04:00 PDT by c|net.com). A word to the wise ;)

--Kimberly Steinka = ksteinkaa65a@yahoo.com
Posted by (1 comment )
Link Flag
Doubtful
This method may work with a known keyboard, but when you factor in room acoustics, the many different keyboards that are available and that the sound will vary from keyboard to keyboard (especially as it wears) it is just an interesting but useless point. Furthermore, since they need to spell check to get that accuracy then it will not work on passwords.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
I don't believe it
Simple as that. One key click sounds pretty much the same as another; no useful information can be gleened from it. And even if it did, does it only work with QWERTY keyboards? What about people typing numbers on the numeric keypad vs top row? Too many variables, too many similarities -- it's a load of rubbish. Makes for a nice scare-tactic story, though.
Posted by Anonymous1234567890 (53 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.