Forgot your password?
typodupeerror
Security IT

Keyboard Sound Aids Password Cracking 389

Posted by CmdrTaco
from the but-i-love-clicky-keyboards dept.
stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"
This discussion has been archived. No new comments can be posted.

Keyboard Sound Aids Password Cracking

Comments Filter:
  • My Luggage (Score:5, Funny)

    by Valiss (463641) on Tuesday September 13, 2005 @01:06PM (#13548559) Homepage
    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'

    Looks like you're screwed because my luggage password is 5 digits long, but all digits are numbers in a sequential order starting with one. Ha ha!
     
  • by otomoton (911331) on Tuesday September 13, 2005 @01:07PM (#13548564)
    Does this mean that instead of keystroke loggers, spyware is now going to monitor our microphone input? This almost sounds like something out of a bad 80's movie.
    • by o7400 (608649) * <eidolf@gmail.com> on Tuesday September 13, 2005 @01:24PM (#13548786) Homepage
      That's it. From now on, whenever I'm typing a password I'm going to scream at the top of my lungs. How about that stopid password stealers!?
      • and then the'll just use a notch filter and take the human vocal range out, leaving plenty of low and high freq sounds to play with.
      • When I first saw the headline, I thought that maybe they were doing time analysis on the keystrokes to guess the fingers used and which row on the keyboard. If that were the case, I would just type my password using a couple of fingers and do some very accurate timing (given I used to be a drummer, I can get pretty accurate) an that would throw them off.

        However, this is a little harder, I have to hit each and every key so that it makes exactly the same sound. This is extremely difficult because even if
    • by TripMaster Monkey (862126) * on Tuesday September 13, 2005 @01:27PM (#13548816)

      Spyware attempting to hash out your keystrokes by listening to the keypresses instead of grabbing the strokes directly is a bit like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.
      • by Enigma_Man (756516) on Tuesday September 13, 2005 @01:33PM (#13548881) Homepage
        That's exactly what this article is about though... They can get your keystrokes with 96% accuracy just by listening to them over a period of time.

        So, theoretically, yes; malware could listen to microphone input of you typing and work it backwards into key logging. If spyware's already on your system though, it'd be easier just to log the keys in the system. But you could figure out what someone else is typing just by recording it.

        -Jesse
        • That would essentially make airborne computer viruses possible!

          A virus infects one computer in an office installs spyware, listens to typing in the office, generate a dictionary of likely passwords and then attempts to attack nearby computers (just scan the subnet/workgroup) by using overheard passwords.
      • ...like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.

        Hey, I've done that! It's a great exercize for increasing the pattern-matching ablities of your brain! You have no idea how good it feels when you finally 'hear' the music just by watching the lights...

        (Well, at least I think so.)

      • by cei (107343) on Tuesday September 13, 2005 @02:01PM (#13549142) Homepage Journal
        Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment. It's interesting to me when meta content becomes content in its own right... if the lights of the EQ become just as valid a form of expression as the sounds driving them.
    • by avronius (689343) * on Tuesday September 13, 2005 @02:02PM (#13549150) Homepage Journal
      Some potential titles for the afore mentioned 80's movie:
      "Remix Of The Killer Tomatoes"
      "Return Of The Password Snatchers"
      "They Listened from Within"
      "Buffy The Keystroke Logger" (not quite on-topic)
      "I Know What You Typed Last Summer"
      "Eavesdropper"
      "The Computers Have Ears"

      The unrelated horror film we're most likely to see?
      "The Blog" - with Steve McQueen re-animated to reprise his role as "Steve Andrews"
      Genre: Horror / Sci-Fi / Comedy
      Tagline: Indescribable... Indestructible! Nothing Can Stop It!
      Plot Outline: An inane personal web log consumes all bandwidth in its path as it grows and grows.
  • Keyboard specific? (Score:5, Insightful)

    by markass530 (870112) <`moc.liamg' `ta' `035ssakram'> on Tuesday September 13, 2005 @01:07PM (#13548570) Homepage
    I'd have a hard time believing this method transcends all keyboard models, and all typists.
    • by MankyD (567984)
      I'd have a hard time believing this method transcends all keyboard models, and all typists.
      It doesn't, but it does work for most keyboards, and that's the catch. Keyboards must be specifically designed to counter it. Thus far, most aren't.
    • Read the article but not the paper. I could see some immediate flaws. For people who learned traditional typing methods and make few mistakes (ie. most heavy computer users) this could work.

      For people like me who never learned to type the "correct way" and use a mish-mash of styles and methods, or someone with fat fingers who makes a lot of mistakes, or the typing dyslexic, the system might be flawed. Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

      Its n


      • I've seen this objection several times in this discussion, so I think I should respond here.

        The audio recording required for deciphering the keystrokes needs to be different for every combination of user and keyboard. There is no way a universal key could be developed; even if the same make and model of keyboard were being used, the amount of wear the keyboard has experenced would contribute to differences in the sound, and this system depends on isolating unique sounds for each keypress. Also, different
      • by Enigma_Man (756516)
        Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

        The algorithm in the description doesn't have/need a baseline recording of any particular keyboard, it learns as it goes along, using pattern, and dictionary-style decoding. It just listens for all sorts of different sounding keystrokes, then starts to assume things as it goes along. If you type the same three different sounding characters in a row a whole bunch of times, it's probably the word "the" rathe
    • I think so (Score:5, Interesting)

      by the_mighty_$ (726261) on Tuesday September 13, 2005 @01:33PM (#13548882)

      This technique must be usable on most keyboards, because judging from this [textfiles.com] the FBI sometimes uses (or has used in the past) this technique. From the page:

      Audio surveillance. This method is a variation of Attack #4. FBI technicians install an audio bug near your computer. The sounds generated by the keyboard can be analyzed. By comparing these sounds with the noises made during generation of a known piece of text, the FBI can often deduce your passphrase - or come so close that only a few characters need to be guessed.

      Oh and by the way, that page was written in 1998, so these UC-Berkley students (and the /. editors) are about 7 years slow.

      • Re:I think so (Score:3, Informative)

        by Anonymous Coward
        These guys do it *without* the known piece of text though; as a statistician, I applaud them!
      • Re:I think so (Score:5, Informative)

        by drew (2081) on Tuesday September 13, 2005 @02:42PM (#13549508) Homepage
        Even without RTFA:
        The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously.
        (emphasis mine)

        They are acknowledging that what you describe has been possible for some time, but what they have been able to achieve different.
      • Re:I think so (Score:3, Interesting)

        by KillShill (877105)
        it was written in 1998 so that means the FBI were using it for oh, the past 20+ years.

        do you think they would divulge their secrets if no one else knew? by 1998, just about every "security" and "intelligence" agency had already surpassed it.
    • I for one have a weird typing pattern, because my right hand won't turn completely palm down (injured in a traffic accident). so I type with my whole left hand and two fingers of my right.
  • applicability? (Score:5, Insightful)

    by MooseTick (895855) on Tuesday September 13, 2005 @01:07PM (#13548571) Homepage
    If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.
    • Re:applicability? (Score:5, Insightful)

      by TripMaster Monkey (862126) * on Tuesday September 13, 2005 @01:11PM (#13548613)

      How about a parabolic or shotgun mike?
      • by rot26 (240034) *
        Good idea. They sell those at the same movie prop houses that carry 57-shot revolvers, self-igniting gasoline, and phones with "AT&T" written on every surface.
    • Re:applicability? (Score:3, Interesting)

      by Narcissus (310552)
      My laptop has a built-in microphone 'somewhere' near my keyboard. I don't know if this is too close to actually get anything from, though: it alls sounds quite similar to me, when I happen to be talking via VoIP with a friend who refuses to:
      a) get a standalone mic; and
      b) stop coding while he's talking to me...
      • If they can do this with a keyboard than why can't they identify alot more sounds and make something useful. I would think they could identify sounds like a leaky water or gas pipe. I would think they could identify someone calling for help. I would think they could indentify the breaking of glass or someone attempting to break into a house. I would think that they could identify the sound of something burning. With the always on connection of broadband and properly place microphones around the house
    • Re:applicability? (Score:2, Insightful)

      by someone300 (891284)
      A tiny wireless microphone can be taped underneath the keyboard.

      A camera would have to be given the right viewpoint, would likely be bigger, and the keyboard might move out of the camera's range.
      • Yeah... cause if I can get hold of your keyboard, I would never think to add a keystroke logging device. You can get them cheap, attach to the cord going to the case, and viola.... 100% reliable.
  • by xxxJonBoyxxx (565205) on Tuesday September 13, 2005 @01:08PM (#13548576)
    Another old fashioned way to get passwords w audio: Just tap the "help desk" phone line.
  • by Nuclear Elephant (700938) on Tuesday September 13, 2005 @01:08PM (#13548577) Homepage
    ... that my voice is my passport.
  • 75 attempts? (Score:5, Insightful)

    by jlower (174474) on Tuesday September 13, 2005 @01:08PM (#13548580) Homepage
    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.
    All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?
    • Re:75 attempts? (Score:5, Insightful)

      by sammy baby (14909) on Tuesday September 13, 2005 @01:16PM (#13548667) Journal
      Plenty of them. Implementing a lockout out of X number of bad attempts can open you up to some hairy denial of service attacks. Want to lock out a user for a few hours? Just fail to login as that person 5 times.

      Not to say that the alternatives don't have their weaknesses, but this one certainly does as well.
      • Re:75 attempts? (Score:3, Insightful)

        by SatanicPuppy (611928)
        Where I work it's three times, and the lockout on the critical systems doesn't expire--you have to be reactivated by an admin. The exception is root, but root can only log on when sitting in front of the keyboard, in the multi-locked and monitored server room.

        Most of our connectivity is onsite anyway...VPN access is pretty tightly regulated...so for us to be DOS vulnerable, the attacker would have to be inside the building, on the network, and by "on" I mean "plugged into" because my boss thinks "wireless s
      • Re:75 attempts? (Score:5, Interesting)

        by papasui (567265) on Tuesday September 13, 2005 @03:03PM (#13549701) Homepage
        This is exactly how I exploited a Novell network while in high school.. I wrote a keystroke logger and then intentionally entered my own password wrong serveral times until I was locked out. I called the Sysadmin over and he logged in on the computer and reset my password. I then pulled his password from the logger and made my own sysadmin account 'jdoe'.
    • Re:75 attempts? (Score:2, Insightful)

      by gamer4Life (803857)
      You can program it to guess the password 3 times a day and within several weeks, the password will be yours. Still a reasonable timeframe.

      Of course if the person changes the password every 3 weeks...
    • Our login passwords at school will let you try as many times as you want so long as you give it some time (an hour or so) in between attempts.

      Also notice that these are random character passwords. Most people use stuff like "scruffy123", not "ywxhfq"
    • Some 'lock out after (x) attempt' implementations are rather stupid -- they only do it, if it's done in one session. (most of the ones I've dealt with in applications ... OSes tend to be better, but even then it's a toss up)

      When I'm trying to remember a password I've forgotten, as some of the systems I deal with lock after three failures, I'll try two passwords, disconnect, reconnect, try two more, etc.

      Now, not all systems will allow this, but some of the bad implementations will let this go on for ever.
    • Re:75 attempts? (Score:2, Insightful)

      by chinadrum (848282)
      One would hope you'd be locked out before then. The problem is that most people don't use random passwords. When the keys you record return Fluf[]y you can guess the missing letter mom typed was 'f' to fill in Fluffy. Bang one try. It's back to the old physical security deal.
    • '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.

      All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

      One used by marketing?

      [badum-ching]

      Seriously, good point. But for security, I'd also expect the lockout to remain until manually cleared... not cleared automatically after a certain time.

    • "90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary"

      Presumably, if you tried 5 attempts on 4 different accounts each, you'd still have a 90% chance of getting access to one.
  • by tabkey12 (851759) on Tuesday September 13, 2005 @01:08PM (#13548584) Homepage
    It just goes to show that when you have physical access to a computer, the security's already broken...
  • by Alcimedes (398213) on Tuesday September 13, 2005 @01:09PM (#13548590)
    Go figure, typing properly now means you get your password cracked.

    Guess that's all the more reason to keep that Cheetos bag crinkling as you type. Gotta stop the commies!
    • Its not like any normal secure network lets an attacker try 20 times. Just mistype a few characters and select them using the mouse to delete them - thereby increasing the number of attempts required exponentially.
  • WARNING (Score:5, Funny)

    by JamesD_UK (721413) on Tuesday September 13, 2005 @01:09PM (#13548592) Homepage
    Security experts recommend you don't speak the name of the key you're hunting for as you type your password with a single finger.
  • good idea (Score:2, Insightful)

    by tont0r (868535)
    i like how they used basic methods of cryptanalysis in order to help find out what is what. an example is how they mentioned about the Digraphs such as TH from THE, which is a very common word. so its easy to pick out from the group because you can 'listen' for the space bar key and if only 3 keys are hit and they have been matching others, you can then find out what E is.
    then lets say you find out whats THE is, then you find another word that is 5 letters that starts with 'THE', then you are going to fi
  • Great... (Score:5, Funny)

    by crc32 (133399) <colinNO@SPAMursa.ath.cx> on Tuesday September 13, 2005 @01:10PM (#13548608) Homepage
    Now I'll need tinfoil wallpaper too, time to go to Cosco...
    • Re:Great... (Score:5, Funny)

      by rtaylor (70602) on Tuesday September 13, 2005 @01:20PM (#13548723) Homepage
      Now I'll need tinfoil wallpaper too, time to go to Cosco...

      Tinfoil was eliminated by the government and replaced with aluminum foil. Your wallpaper and hats only make you believe you're safe.
      • Re:Great... (Score:5, Funny)

        by OzPeter (195038) on Tuesday September 13, 2005 @02:27PM (#13549383)
        If you knew your world history you would know that it was an early 20th century right wing plot to get the US to use aluminum instead of the aluminium that the rest of the world uses.

        You see while aluminum looks and feels a lot like aluminium, it is actually a differant material, so much so that it cannot be used as a tinfoil hat replacement.

        Thus by duping the US citizens into believing that aluminum was just as good as aluminium (and more patriotic for the country), the government easily gained the capability of reading all of your thoughts, even when you thought they couldn't [*]

        As of now, the rest of English speaking world sits smuggly by wearing our aluminium foil hats, safe in the knowledge that our thoughts are secure.

        [*] Unfortunatley there was a side effect to being able to read the thoughts of everyone in the US. The summaries of such thoughts are used to brief the president in order to help him direct policy. But starting with the Shiny Shiny movements of the mid 80's suceeding presidents have slowly become paralysed by the thoughts of the mass population. This has come to a head with GWB being briefed hourly about how the population feels about JLo and Bennifer, while other, more important items are ignored.

        The only possible solution to this is to disband the remote thought readings, but when confronted with leftist radical ideas like this, the CIA/Industro-Military Complex reacts violently and labels such ideas as being the work of terrorists. (It should be noted that these people are known to have holdings of aluminium manufacturers in other countries, thus securing their *private* supply of aluminium foil hats).
  • by ScentCone (795499) on Tuesday September 13, 2005 @01:11PM (#13548617)
    Honestly, I've always wondered about this. But then it occurs to be that you could type the ALT+Numeric equivalent of your password characters, just to throw off the bad guys. You know, ALT+100 = "d", etc. Or, just bang the drum slowly when entering the password - loud, thumpy keystrokes. Or put the keyboard in your lap momentarily to alter the acoustic signature.

    Or, don't worry. I mean, realistically, what are the odds of this crack actually happening in the non-ultra-spooky world? And once you're in that playground, it's biometrics, smartcards, etc., anyway, right?
  • Easy Fix (Score:2, Funny)

    by jatemack (870255)
    Just make a clicking noise with your tongue and the roof of your mouth as you type. It sounds almost identical, and you'll automatically sync the sound up with each keystroke.

    Try it.
  • I'm glad my TouchSTream LP by the now defunct Fingerworks makes no noise at all while I type ;)
  • by keyne9 (567528)
    Wouldn't this only apply to people who type "properly"? Or did this apply to any and all forms of bastardized typing methods (for example, hunt'n-peck)?
  • by allanc (25681) on Tuesday September 13, 2005 @01:17PM (#13548678) Homepage
    With these clicky buckling springs, they'll be able to sniff my password from miles away!
  • Different sounds (Score:2, Insightful)

    by Namronorman (901664)
    I notice that keys I use the most are the loudest and sound different, probably from wear. Stating that, how easy would this cracking method work on a brand new keyboard (or perhaps a laptop keyboard)?
  • From Appendix A:


    Original text. Notice that it actually contains two typos, one of which is fixed by our spelling corrector.


    Also I notice this paper was funded in part by the USPS. What is the USPS doing with this type of research?
    • The USPS if facing a real problem with phones, teletypes, email and IM. Now that people are option for web payment methods, the volume of mail is dropping. Direct deposits and direct payment/debit cards are further cutting into their revenue stream.

      They can't ass-u-me that they get at least five pieces of mail going in both directions.

      If digital forms of communications can't be cracked except by 'social engineering', they are going to further disappear. (Of course I still get 'snail' mail spam.)

      But how depe
    • What is the USPS doing with this type of research?

      To find methods to read your unopened mail by listening to it.
  • for membrane keyboards!
  • Agent x86 (Score:5, Funny)

    by Molina the Bofh (99621) on Tuesday September 13, 2005 @01:20PM (#13548735) Homepage
    Be careful, chief. Lets type in the cone of silence.
  • by Anonymous Coward
    This reminds me of a sysop I once worked with. Every time he logged in you could clearly identify the rhythm of M-I-C-K-E-Y M-O-U-S-E. Sometimes he was even stupid enough to hum the tune as he typed it. And this idiot was one of the senior IT guys at a major oil company.
  • If they'd done a little more research, they might have come across the report of a certain national crypto agency, in the 1950's, having several blind personnel able to do the same thing with typewriters. it's a bit easier with typewriters as the fwap! of the type bars hitting the paper has more variation than your typical computer keyboard.
  • I prefer visual snooping. It's much more effective :)
  • by Klowner (145731) on Tuesday September 13, 2005 @01:27PM (#13548809) Homepage
    It's also incredibly helpful when they mumble their password as they type it.
  • by Gudlyf (544445)
    dupe [slashdot.org]
  • by coyote-san (38515) on Tuesday September 13, 2005 @01:28PM (#13548831)
    25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

    It wasn't anything fancy, just familiarity with the sound that keyboard made and the usual pauses as fingers move to various keys.

    I also used to be able to tell you what number was dialed from the touchtones.

    P.S. a college friend said that he would occasionally talk to others in morse code after a long duty shift when he was in the military. Forget the nonsense in the introductory material - anyone who really knows morse code and knows it fast hears it as words. It's not hard to take the final step and speak it like you hear it.
  • 1. Jack the target's phone.
    2. Have it call your recording station.
    3. Record keystrokes.
    4. Recover passwords.
  • Due South (Score:3, Informative)

    by kannibal_klown (531544) on Tuesday September 13, 2005 @01:33PM (#13548883)
    I remember an episode of "Due South." It was a silly show, but at least somewhat entertaining. Anyway, one of the guys made an interesting point.

    They were in the room when a guy typed in his password, they could see the keyboard or anything. Anyway, the mounty said that each key sounds slightly different. Anyway, after playing with the keyboard a few minutes he was able to guess it within a few tries.

    Granted, the show as as fictitious as they come: "Canadians have computers!?!?" But it made some sense and afterwords I started playing with my keyboard I too realized most of them sounded slightly different.

    However, I don't have "the ear" for such things (ie, I can't tell what phone number was pressed by the tone." I wonder if someone with a good enough ear can use this too their advantage though. Perhaps someone blind who's trained his ears well enough.

    Then again, it's probably just a load.
  • If you have the time to do it, why not just analyze the residual fingerprint oils left behind on the keys? The oldest oils would differ from the newer oils, and could essentially be used to backtrack any password.
  • This might be slightly off-topic, but our IT department recently got new Dell PCs and these keys are so loud and clicky. And not the good clicky, a bad, cheap sounding clicky that agrevates me.
  • by flynt (248848)
    For once, not having a password is a good idea.
  • My understanding from reading the paper is that this approach is only effective for english-language words. Using complex passwords (special characters, numbers, etc.) seems like it would significantly reduce the effectiveness of this attack. A nice follow-up to this paper would be applying the research to analyze how this would impact password guessing in situations with complex passwords.

    Sometimes, old tricks are the best tricks!
  • The implication here is NOT passwords. It's key logging with out running a key logger. Theoretically I could "accidentally" leave my PDA on my boss's desc after a meeting and have it record a gig or two of his typing. come back a while later, grab the PDA, download the audio, run it through a machine learner, and viola! All of his correspondence. Even better, I could just run it over the wireless network and get a constant stream of his typing.

    -Rick
  • Don't panic (Score:5, Interesting)

    by ezweave (584517) on Tuesday September 13, 2005 @02:04PM (#13549173) Homepage

    While it is an interesting topic, controlled conditions are required for this to work correctly.

    They use a deterministic method to find the next probable character for a given sequence. Deterministic in that if I type 't' and then type 'h' and there are only so many combinations available after that (this is the Markov chain part). Er basically a sort of decision coverage. That is used with the spell check dictionaries they mention for English text recognition. It is interesting too that they are using a neural network (though appropriate) to recognize the patterns. But because they did not make their own, the details are a bit brief.

    The problem I see is that the password detection is not flushed out enough and based upon what they state, it is not as powerful as it sounds. The deterministic method won't work for all passwords (as they typically are not English). Their "analysis" is basically a speed up on a dictionary hack (it helps to know the size of the password from the keystrokes), eliminating possibilities by way of possible patterns. But what about special characters, does a shift+key sound that different? Mixed cases, etc? And the deterministic approach does not work if the password is random AND the network has to be trained for THAT persons typing style and keyboard. Is that likely?

    I would be more worried about Van Eck Phreaking [wikipedia.org].

  • Phone eavesdropping (Score:3, Informative)

    by jbum (121617) on Tuesday September 13, 2005 @02:17PM (#13549292)
    A prior paper by Asonov and Agrawal [google.com] is also fascinating reading.

    I assumed when I first heard about this that hi-fidelity microphones were employed, however, the researchers used cheap PC mics. In addition,
    they speculate that eavesdropping over the phone is possible:

    Another observation that can be made from the experiments is that higher frequencies are generally less informative. Of particular interest is the 300-3400 Hz interval telephone audio band. The relatively good ADCS for this interval in our experiments suggests that eavesdropping on
    the clicks over the phone [...] is potentially possible.


For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...