This new attack uses the sound of your keystrokes to steal your passwords

News
By Sead Fadilpašić
published

Who is listening to you type?

Person typing on keyboard
(Image credit: Shutterstock.com)

Two researchers from Augusta University, in Georgia, U.S., demonstrated a novel way to steal people’s passwords that would put even James Bond to shame.

Alireza Taheritajar and Reza Rahaeimehr published a paper called “Acoustic Side Channel Attack on Keyboards Based on Typing Patterns” which is just as weird as it sounds.

According to the research, there is a way to deduce a person’s password (or any other word that’s typed into a computer) by simply listening to them type.

Is it feasible?

The method is not as accurate as some other side channel attacks, as the researchers suggested the accuracy of this attack is around 43%. To pull it off, all the attackers would need is a relatively small sample of the victim’s typing (just a few seconds, apparently), but would need more than one recording.

Furthermore, they would need an English dictionary. The mitigating circumstance here is that the recording doesn’t have to be particularly “clean”. It could have significant background noise, or come from multiple different keyboards, and still work.

In theory, a threat actor could place a smartphone, or a similar microphone-equipped device, in the relative vicinity of the victim and record them typing. From that recording, they would be able to establish certain patterns, which could then be used to determine potential words. The English dictionary would help to predict which words would make most sense in the context of the sentence.

While it sounds ominous, there are quite a few moving parts that need to align perfectly, for the attack to be pulled off.

For one, the attacker needs to either be really close to the victim, have a recording device nearby (a smart speaker would suffice, apparently), or have malware installed that’s capable of leveraging the computer’s microphone. Then, the attacker needs to type in their password, as well as a bunch of other words.

They cannot be a professional typist, or be able to type fast in general, as that messes with the predictions. Then, the attackers can analyze the recordings and will still end up with just a 43% chance of success.

Via Bleeping Computer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.