Chrome Extension Thwarts User Profiling Based On Typing Behavior

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.

I dunno?

[KGIII]

Seems like a theoretical problem with a theoretical solution. Just because they found one mechanism does not mean that there is not another. Just because they were able to do it in a controlled environment does not mean that others can or will. It seems a lot of effort to actually get fairly trivial information. Most browsers are fairly uniquely fingerprinted anyhow. There are easier ways to track (and likely more certain ways) so this seems like a non-starter without more information and more prevalence.

Re:

[The MAZZTer]

It's been proven a browser exposes a lot of personalized data. Low value data, such as, for example, the fonts installed on a machine, but it can be used to digitally fingerprint you.

Re:

[Anonymous Coward]

https://panopticlick.eff.org/ shows you a few data points that can be used to profile browsers (fonts being one of them).

Seems like Javascript is one giant profiling tool and the only way to even start fighting profiling is to disable it by default. Even then browsers still broadcast lots of data.

Re:

[thorsheim]

Doesn't have to be Javascript, but being a very common thing around, its obviously the easy choice. Anything that can & will record & process your typing inside the DOM could to this afaik.

Re:

[fustakrakich]

Yeah, I think they notice when I zoom in the page all the time. I keep getting ads for new reading glasses.

Re:I dunno?

[martas]

this does not fingerprint the browser, it fingerprints the user. it doesn't matter if you switch browsers, or even computers, your typing patters remain the same, and potentially identifiable.

Re:

[KGIII]

This still seems unlikely to be useful with the noise floor it would have. At least not by itself - maybe that is the intent.

Re:

[thorsheim]

Yeah, implementations do not operate with FAR/FRR rates, they focus on giving a confidence score to you, the operator. Based on that you decide what to do. Typically you won't deny access to anyone punch drunk typing in username + password correctly, but you will flag all transactions for manual control as an example. Coursera, an online training provider uses it when you signup for an account, and when you hand in any tests you've done for scoring.

Re:

[aaron4801]

"the Tor browser, which is supposed to guarantee anonymity."
Dangerously incorrect. In fact, the start page makes this quite clear: "Tor is NOT all you need to browse anonymously! You may need to change some of your browsing habits to ensure your identity stays safe." The Tor Browser allows you to be anonymous, IF you follow some basic principles. Nothing is guaranteed.

Re:

[KGIII]

You are on TOR. Turn off scripting.

Re:

[thorsheim]

Lots of companies have products that allows you to do keystroke dynamics on their websites, and we've heard of several UK banks as an example actively using this today. Browsers are fairly uniquely fingerprinted. Keystroke dynamics fingerprints the HUMAN, so if you wipe all your cookies, change browser, change computer and change (IP) location, keystroke dynamics will still identify you.

Re:

[KGIII]

Those seem well and *potentially* good if you want to match a metric but they seem trivial to defeat in anything with any noise associated with it. I pause at random points and will sometimes return a half hour later and delete stuff. I am not saying that I can not be fingerprinted but I am saying that it would be difficult and there are much easier ways that are much more likely to succeed.

Re:

[thorsheim]

Sure, and what we show is this technology specifically, not everything else.

Re:

[DanJ_UK]

What the blithering fuck are you on about?

Re:

[thorsheim]

martas is correct.

Re:

[thorsheim]

UK banks, large online training site in the US, as just 2 examples known to use this today.

Complex signal analysis

[Impy the Impiuos Imp]

That's mechanical use of keyboard, but you're also gonna need a phrase anyzer and commonizer. Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

If you can tie a controversial anon to a known account like facebook, you can then go all SJW on him, outing them to their employer and getting them fired.

I am less concerned about racist assholes than more general political opinions and so on.

Re:Complex signal analysis

[ArcadeMan]

Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

Re:

[thorsheim]

Valid points, lots of other features from your way of typing may aid in building an anonymous profile. Keystroke dynamics is just an addition to that, and the plugin blocks keystroke dynamics from being used to build & identify people (not browsers).

A Chrome privacy extension

[Anonymous Coward]

The term "pissing in the ocean" comes to mind.

Re:

[thorsheim]

Everybody does it, so why not be part of the movement?

You typed too slow today

[Anonymous Coward]

Locked out of everything, hooray!

Re:

[thorsheim]

Java & Javascript. NOT the same thing!

Doing it wrong

[wbr1]

If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

Am I surprised that this can be done? No. But DO-NOT-ALLOW-SCRIPTS in your browser if you are truly attempting to be secure.

Re:

[PvtVoid]

If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

I don't think that Thorsheim was using Tor in an attempt at any actual security, but simply to isolate the effect of keyboard timings from other potential means of identifying the user. He was using Tor to create a controlled experiment.
 

Re:

[thorsheim]

Correct. There are also so many websites around where Javascript is required for the site to work. I wouldn't be surprised if quite a few Tor users allowed Javascript here and there. And it doesn't have to be done using Javascript either.

Who cares

[Anonymous Coward]

Why would anyone use this spyware anyway? Just use Firefox, or even modern versions of IE is better

Not random, constant timing

[Anonymous Coward]

Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical. Adding random noise as it sounded like the summary was describing tends to be ineffective against timing attacks because it averages out.

Re:

[PvtVoid]

Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical.

Which probably makes them even more identifiable, since it is unlikely that more than a tiny minority of Chrome users will use such an extension. This is a fundamental problem with this sort of thing: if you really want to be hard to identify, you want to make yourself look as much like the rest of the clueless rabble as possible. If only one user in ten thousand is loading themselves up with privacy extensions, it probably makes for an excellent fingerprint in and of itself.

Re:

[thorsheim]

True & not true. The plugin randomizes (delays) the keypress inputs into the dom, you can change the values. We did consider doing everything constant as well as randomization. Difficult tradeoff. The main point is to lower/remove the risk of a profile being built and used.

Re:

[PvtVoid]

The plugin randomizes (delays) the keypress inputs into the dom, you can change the values.

This seems more reasonable. However, it's not obvious that this would not itself be a trackable signature, easily distinguished from actual human behavior.

Anti tracking plugin for Chrome??

[Carewolf]

Why would you make an anti-tracking feature for a browser only made to track you? Whatever you do you are still being tracked by default, that is the point of Chrome.

Re:

[Anonymous Coward]

Because they also work on Chromium, the OS version which doesn't track you?

Also, your point makes zero sense, as the adversaries are different: this add-on prevents websites in general from identifying you, not Google in particular.

Re:

[swillden]

Whatever you do you are still being tracked by default, that is the point of Chrome.

Do you have any evidence to back that claim up?

There are a number of features in Chrome that optionally talk to Google. But you can change them all if you prefer. Do you have any proof that it "phones home" in any hidden way? It should be quite easy to prove; Wireshark is all you need.

FWIW, I know some of the guys who started the Chrome project. Actually, they didn't start Chrome, they started V8. The point was to prove that Javascript engines could be orders of magnitude faster than they were, and to

That's one solution

[tehlinux]

> by randomizing the rate at which characters reach the DOM

Just do what IE11 does and randomly don't send some characters to the DOM.

Re:

[thorsheim]

the source code is right there, in front of your closed eyes.