Keyboard Sound Aids Password Cracking

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

Berkley != Berkeley

[Anonymous Coward]

Why do we trust a computer science research paper coming from a Business College [berkley.edu]?

Re:Berkley != Berkeley

[stinerman]

It is actually a typo on my part, not caught by Taco. The paper in question is from the CS Dept of UC Berkeley.

Due South

[kannibal_klown]

I remember an episode of "Due South." It was a silly show, but at least somewhat entertaining. Anyway, one of the guys made an interesting point.

They were in the room when a guy typed in his password, they could see the keyboard or anything. Anyway, the mounty said that each key sounds slightly different. Anyway, after playing with the keyboard a few minutes he was able to guess it within a few tries.

Granted, the show as as fictitious as they come: "Canadians have computers!?!?" But it made some sense and afterwords I started playing with my keyboard I too realized most of them sounded slightly different.

However, I don't have "the ear" for such things (ie, I can't tell what phone number was pressed by the tone." I wonder if someone with a good enough ear can use this too their advantage though. Perhaps someone blind who's trained his ears well enough.

Then again, it's probably just a load.

Re:I think so

[Anonymous Coward]

These guys do it *without* the known piece of text though; as a statistician, I applaud them!

Re:Keyboard specific?

[TripMaster Monkey]

I've seen this objection several times in this discussion, so I think I should respond here.

The audio recording required for deciphering the keystrokes needs to be different for every combination of user and keyboard. There is no way a universal key could be developed; even if the same make and model of keyboard were being used, the amount of wear the keyboard has experenced would contribute to differences in the sound, and this system depends on isolating unique sounds for each keypress. Also, different users have different typing styles...a recording of one user typing will be fairly useless in determining the keystrokes of another user.

Also, the rhythym of typing is entirely beside the point here...again, the point is that each key makes a slightly different, unique sound when pressed. Given the sounds of enough keystrokes, the order in which they were pressed, and a knowledge of the language being typed in, it is easy to determine which sounds correspond to which letters. Think of it as a simple substitution cipher.

Re:Keyboard specific?

[1u3hr]

Just learn Dvorak. Done.

No. They analyse the clicks by comparing them with English letter frequencies. So it doesn't matter what the key is marked as, it's what you're using it for that is recorded.

Phone eavesdropping

[jbum]

A prior paper by Asonov and Agrawal [google.com] is also fascinating reading.

I assumed when I first heard about this that hi-fidelity microphones were employed, however, the researchers used cheap PC mics. In addition,
they speculate that eavesdropping over the phone is possible:

Another observation that can be made from the experiments is that higher frequencies are generally less informative. Of particular interest is the 300-3400 Hz interval telephone audio band. The relatively good ADCS for this interval in our experiments suggests that eavesdropping on
the clicks over the phone [...] is potentially possible.

Re:My Luggage

[isometrick]

I suspect it is (in reality) much higher than that, given the password/key/combo choosing standards of the general public.

Don't assume that each possibility is equally likely . :)

Re:I think so

[drew]

Even without RTFA:
The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously.
(emphasis mine)

They are acknowledging that what you describe has been possible for some time, but what they have been able to achieve different.

Re:My Luggage

[c0n0]

Actually, the number of combinations on any numeric system (in any base) is given by:

base ^ no. of digits

For example, on a base 2 system (binary), if you have only one digit you get 2^1 possible combinations, i.e. 2 (0 and 1).
On a decimal system (base 10), if you have 2 digits it'd be 10^2 = 100 (from 00 to 99).

Therefore, 12345 has 5 digits, assuming each one goes from 0 to 9 we can say that the possible number of combinations is 10^5 - 100,000.

On a side note, you quoted just part of his sentence and took it out of context.

He said:

I suspect it is (in reality) much higher than that, given the password/key/combo choosing standards of the general public.

so there's a whole chunk of sentence after the comma that you (conveniently) forgot/ignored.

He was trying to say that not all numbers should have the same weight the same, because eventhough in theory there's equal chance of any combination getting picked by anybody, the reality probably is that most of the time people will go with a popular combination such as 12345, 00000, 11111, etc, so the likelyhood of such numbers being picked is higher

So basically you:

-took something out of context only to attack someone
-just don't 'get math'
-showed a great example on how can 'quite simple' sometimes can be 'quite difficult'.

Re:TEMPEST

[mikek2]

Apart from the fact that this is electromechanical rather than electronic, this *is* TEMPEST. I had a fair amount of TEMPEST training waaaay back in my military days (those damn 90's); I found it to be one of most the fascinating things I ever learned. Good site for an introduction [eskimo.com]

Re:applicability?

[PiratePTG]

they don't work like you think they work. The ones on the football field probably help mask ambient crowd noise, but they don't do much, if anything, to increase the gain of the target audio.

Almost right... The "Big Ears" (yes, that is their name, Google for them) parabolic reflectors work by focusing the intended audio onto the pickup face of a standard microphone. They don't necessarily increase the gain of the audio, but they decrease the signal to noise of the audio. Off-axis audio gets reflected back out the other side of the reflector, while the on-axis audio gets reflected to the face of the mic. And even the position of the mic in the reflector is adjustable, so you can compensate for distance. By reflecting the undesired audio out of the reflector, there is an apparent increase in desired audio gain. Big Ears don't mask undesired audio, it simply reflects it back out away from the mic pickup.

try a laser microphone

Wouldn't work in this application. A laser mic needs something to "reflect" off of. Like a window or the face of a framed picture. The hard surface merely becomes the diaphram of the mic, the reflected laser signal is converted to audio pulses just like a moving coil over a fixed magnet would be. Pointing a laser mic at a keyboard would get you almost nothing. The tops of the keycaps are usually concave, and have a matte finish, which would effectively scatter the laser beam. And if you did just focus on one key, as soon as it was pressed, or a finger got in the way TO press it, you'd lose the signal. And besides, if you could point a laser at the keyboard, why not just get a camera?!

an array of mic's in tubes of varied lengths with each tube resonating at a likely component of the targeted frequency range. (Still not directional, but has a lot of gain.)

Ummm... Sorry... wrong again... The original "shotgun mic" got it's name from the number of "barrels" it had. It would have been more appropriate to call it a "gatling-gun mic". The design was to have a number of tubes cut to resonate at different frequencies all barreled together, with a parabolic reflector (see Big Ears above) mounted on the rear, with a SINGLE mic inside of the reflector to pick up the audio. The "shotgun" effect did nothing to increase the gain of the audio, but works again by focusing desired audio onto the pickup head of a mic. The different length tubes did resonate at different frequencies, and increased the frequency response of the mic (the early shotguns used crystal elements). The apparent directionality of the mic was because side and rear audio was blocked from the pickup mic, by the fact it was in a parabolic chamber behind the tube stack. A stack of mics inside tubes as you suggest would kinda sorta work, but the electronics necessary to multiplex all that audio together, without introducing phase distortion, would be way too complex or even remotely practical.

"Shotgun/gattling gun" mics are no longer used these days. At least I have never seen one in the wild. The directional "shotgun" mics used today are basically a tuned chamber with a pickup element that gets it's directionality from phasing the desired audio. Audio from the rear or sides arrive at the pickup element out of phase and are cancled out. On-axis audio arrives in phase "with itself" and is picked up. Any gain from the mic again comes from decreasing the signal to noise, and through preamps built into the microphone. The tuned chamber itself does nothing to increase the gain of the desired audio.

Now, all that said, I could easily build a wireless mic transmitter in less room than a postage stamp takes up, and again easily mount it close enough to a keyboard to pick up the keystrokes. A whole lot easier than trying to mount a camera somewhere to see the keyboard. The only downside to trying to crack a password by recording the keyclicks is that the keyboard probabally needs to be fairly isolated. A keyboard in a room full of keyboards is not going to be easy to pick up. The signal to noise would be a factor to deal with. Not impossible, but certainly adds additional complexity, and inaccuracy, to the recording/cracking process.

Just my nickle's worth...