Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risk of Keyboard Clicks

Posted by simoniker on from the tap-tap-oops dept.

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

5 of 361 comments (clear)

  1. low~ by Leffe · · Score: 5, Informative
    The site was really slow, so I copied the article:


    OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

    Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

    All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

    Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC runninG standard neural netwOrking softwAre, he could decipher the keys with an 80% accuracy raTe. He was also able to train the SoftwarE on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

    Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

    "But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

    However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

    Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.


    Yeah, I put a surprise in there too ;)
  2. More reason than ever... by Simon+Carr · · Score: 3, Informative

    To pick up one of these babies... C'mon, it's like $400, I need to grab at any justification I can find!

    --
    -- The unsig...
  3. Sneakers by ultrasonik · · Score: 3, Informative

    This is old news. Ever see the movie Sneakers from 1992?

  4. Re:80% accuracy can be useless... or not by ArsenneLupin · · Score: 3, Informative
    Even if the password is recorded once, this will reduce the keyspace by 80%.

    Actually, it will reduce the key space by much more than that. Assume a 10 char password, with each char picked among 96 (Ascii without ctrl chars).

    Without any help, you'd have 96**10 = 66483263599150104576 possibilities to try out.

    By having the output from the algorithm, and assuming only two of its guess are false, you'd only have to try 10*9/2*96*96 = 414720 combinations.

    Well, of course, you don't know that exactly two characters are wrong. So it may indeed be three, or it may be just one. But, by using a smart algorithm, you'd still have to try out only 414720 passwords on average (first try out exact match, then passwords with 1 wrong char, then with 2, then with 3, etc).

    So, it's a much bigger reduction of keyspace than 80%.

    Of course, if the program can give you "hints" about which exact character(s) it things might be wrong, the keyspace will be reduced even further.

  5. Re:Great... by jdreed1024 · · Score: 4, Informative
    Those already exist. They're called "scramble pads". We had one on the server room where I used to work. You press "start", and it displays the numbers in LEDs under the keys, and you enter the code. Every time you press start, the numbers are in a different position. And you can barely read them when staring right at the pad, let alone from the side.

    Of course, it took about 5 times longer to get in than with a key or swipe card (since the code was 8 numbers), but there's always a trade-off.

    here's a picutre of one.

    --
    There is no sig, there is only Zuul.