Keyboard Sound Aids Password Cracking

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

Redbox for keyboards now?

[otomoton]

Does this mean that instead of keystroke loggers, spyware is now going to monitor our microphone input? This almost sounds like something out of a bad 80's movie.

Use ASCII numerics, or pound the keyboard at login

[ScentCone]

Honestly, I've always wondered about this. But then it occurs to be that you could type the ALT+Numeric equivalent of your password characters, just to throw off the bad guys. You know, ALT+100 = "d", etc. Or, just bang the drum slowly when entering the password - loud, thumpy keystrokes. Or put the keyboard in your lap momentarily to alter the acoustic signature.

Or, don't worry. I mean, realistically, what are the odds of this crack actually happening in the non-ultra-spooky world? And once you're in that playground, it's biometrics, smartcards, etc., anyway, right?

Re:applicability?

[Narcissus]

My laptop has a built-in microphone 'somewhere' near my keyboard. I don't know if this is too close to actually get anything from, though: it alls sounds quite similar to me, when I happen to be talking via VoIP with a friend who refuses to:
a) get a standalone mic; and
b) stop coding while he's talking to me...

Re:Keyboard specific?

[MankyD]

I'd have a hard time believing this method transcends all keyboard models, and all typists.

It doesn't, but it does work for most keyboards, and that's the catch. Keyboards must be specifically designed to counter it. Thus far, most aren't.

Re:Hunt and peck for safety?

[LLuthor]

Its not like any normal secure network lets an attacker try 20 times. Just mistype a few characters and select them using the mouse to delete them - thereby increasing the number of attempts required exponentially.

Re:75 attempts?

[Anonymous Coward]

Since you have a list of possible passwords, you'll probably be able to guess if it's more likely to be 'qjinkmrreyruqrrl' or 'thinkmoreyoutool'.

Re:applicability?

[Migraineman]

If I've got access to install spyware on your computer, why would I go through the Rube-Goldbergian process of recording sound, processing, etc? Can't I just sniff the keypresses directly?

Now, using the mic in a laptop to sniff sounds made by *other* computers would be pretty slick.

Re:applicability?

[rot26]

I'm not saying they don't exist, I'm just saying they don't work like you think they work. The ones on the football field probably help mask ambient crowd noise, but they don't do much, if anything, to increase the gain of the target audio. Audio frequencies, especially in the range of the human voice (i.e. relatively low) are HIGHLY non-directional.

Now if you want something that actually WORKS, try a laser microphone or an array of mic's in tubes of varied lengths with each tube resonating at a likely component of the targeted frequency range. (Still not directional, but has a lot of gain.)

Been there, done that

[coyote-san]

25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

It wasn't anything fancy, just familiarity with the sound that keyboard made and the usual pauses as fingers move to various keys.

I also used to be able to tell you what number was dialed from the touchtones.

P.S. a college friend said that he would occasionally talk to others in morse code after a long duty shift when he was in the military. Forget the nonsense in the introductory material - anyone who really knows morse code and knows it fast hears it as words. It's not hard to take the final step and speak it like you hear it.

Re:Keyboard specific?

[sTalking_Goat]

Read the article but not the paper. I could see some immediate flaws. For people who learned traditional typing methods and make few mistakes (ie. most heavy computer users) this could work.

For people like me who never learned to type the "correct way" and use a mish-mash of styles and methods, or someone with fat fingers who makes a lot of mistakes, or the typing dyslexic, the system might be flawed. Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

Its not a catch-all system but it would probably work on most people...

Having a recording of short known sequence could probably narrow the error margin a lot though....

Re:Redbox for keyboards now?

[Enigma_Man]

That's exactly what this article is about though... They can get your keystrokes with 96% accuracy just by listening to them over a period of time.

So, theoretically, yes; malware could listen to microphone input of you typing and work it backwards into key logging. If spyware's already on your system though, it'd be easier just to log the keys in the system. But you could figure out what someone else is typing just by recording it.

-Jesse

I think so

[the_mighty_$]

This technique must be usable on most keyboards, because judging from this [textfiles.com] the FBI sometimes uses (or has used in the past) this technique. From the page:

Audio surveillance. This method is a variation of Attack #4. FBI technicians install an audio bug near your computer. The sounds generated by the keyboard can be analyzed. By comparing these sounds with the noises made during generation of a known piece of text, the FBI can often deduce your passphrase - or come so close that only a few characters need to be guessed.

Oh and by the way, that page was written in 1998, so these UC-Berkley students (and the /. editors) are about 7 years slow.

Windows On Screen Keyboard

[Hoi Polloi]

If you use Windows you can also use osk.exe (On Screen Keyboard) to enter your password, this will allow you to bypass the keyboard completely. This also assumes that you have taken precautions against TEMPEST and CRT diffuse visible light monitoring.

Re:Redbox for keyboards now?

[cei]

Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment. It's interesting to me when meta content becomes content in its own right... if the lights of the EQ become just as valid a form of expression as the sounds driving them.

Don't panic

[ezweave]

While it is an interesting topic, controlled conditions are required for this to work correctly.

They use a deterministic method to find the next probable character for a given sequence. Deterministic in that if I type 't' and then type 'h' and there are only so many combinations available after that (this is the Markov chain part). Er basically a sort of decision coverage. That is used with the spell check dictionaries they mention for English text recognition. It is interesting too that they are using a neural network (though appropriate) to recognize the patterns. But because they did not make their own, the details are a bit brief.

The problem I see is that the password detection is not flushed out enough and based upon what they state, it is not as powerful as it sounds. The deterministic method won't work for all passwords (as they typically are not English). Their "analysis" is basically a speed up on a dictionary hack (it helps to know the size of the password from the keystrokes), eliminating possibilities by way of possible patterns. But what about special characters, does a shift+key sound that different? Mixed cases, etc? And the deterministic approach does not work if the password is random AND the network has to be trained for THAT persons typing style and keyboard. Is that likely?

I would be more worried about Van Eck Phreaking [wikipedia.org].

Re:Redbox for keyboards now?

[gi-tux]

When I first saw the headline, I thought that maybe they were doing time analysis on the keystrokes to guess the fingers used and which row on the keyboard. If that were the case, I would just type my password using a couple of fingers and do some very accurate timing (given I used to be a drummer, I can get pretty accurate) an that would throw them off.

However, this is a little harder, I have to hit each and every key so that it makes exactly the same sound. This is extremely difficult because even if I use exactly the same pressure and exactly the same stroke on every key, then the spring might be different, or the switch might be slightly different on a few keys and still give hints.

I think that the best defense is to learn to type at about 1200 words per minutes (100 characters per second) so that the sound is just one constant stream and they would be incapable of breaking it down. Like the German "zip gun" from WWII, the MG-42 which fired around 1200-1300 rounds per minute and sounded like a zipper to the Allied soldiers. The constant short zip sounds also made it difficult to locate the gun when in cover.

Re:Keyboard specific?

[Enigma_Man]

Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

The algorithm in the description doesn't have/need a baseline recording of any particular keyboard, it learns as it goes along, using pattern, and dictionary-style decoding. It just listens for all sorts of different sounding keystrokes, then starts to assume things as it goes along. If you type the same three different sounding characters in a row a whole bunch of times, it's probably the word "the" rather than "zoe". It can use common words and lengths of words to figure it out, even if you're typing on a homemade, metal keyboard that sounds 100% unique from any other board.

-Jesse

Re:75 attempts?

[papasui]

This is exactly how I exploited a Novell network while in high school.. I wrote a keystroke logger and then intentionally entered my own password wrong serveral times until I was locked out. I called the Sysadmin over and he logged in on the computer and reset my password. I then pulled his password from the logger and made my own sysadmin account 'jdoe'.

Re:I think so

[KillShill]

it was written in 1998 so that means the FBI were using it for oh, the past 20+ years.

do you think they would divulge their secrets if no one else knew? by 1998, just about every "security" and "intelligence" agency had already surpassed it.

Re:Redbox for keyboards now?

[danila]

That would essentially make airborne computer viruses possible!

A virus infects one computer in an office installs spyware, listens to typing in the office, generate a dictionary of likely passwords and then attempts to attack nearby computers (just scan the subnet/workgroup) by using overheard passwords.