Slashdot Mirror
The Security Risk of Keyboard Clicks
Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."
Now when I log in to my account at work, instead of just needing password, secureid, smartcard, fingerscan, eyescan, and a note from my mother, I'll also need to use an on-screen touch-screen keyboard!
Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...
Now we just need some covering noise while logging in. Time for a kernel patch?
You won't believe this, I know, but it's still a fact that I know a guy who - after couple of guesses - knows what you typed on your keyboard just by listening to your keyboard clicks.
It's pretty amazing when he demonstrates that.
Yeah, I put a surprise in there too
Sounds like bollocks to me. The amount of crumbs under my keys, I'd be mighty impressed if you got anything intelligble.
... but a firstpost on slashdot sounds differently.
There was a story a bit back (on Ars?) about how the government has been doing this since the 80's.
You know, I don't care.
Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.
So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.
And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.
I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.
--sig fault--
I'm still not going to give up my Model M.
Cthulhu Saves.
OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.
I can't even tell what freakin time it is on my LED clock from ThinkGeek, much less deciper keyboard clicks and modem blinks :-)
Al you have to do is install voice-recognition software, then train it to only understand you when you speak in a broad Glaswegian accent.
Thereby ensuring NOBODY's going to be able to decipher a word you're saying.
'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
Maybe I am remembering wrong, but I think old ATMs used to have slightly different tones for the different buttons, which is dumb, but sounds like something some engineer would do without thinking.
This also got me thinking, I used to have an old MAC IIe, when you selected menu items (from that top mac tool bar) different pitches were emitted from the pc, they were quiet and possible actually created from the guns in the tube itself, but this type of thing could be used to figure out what ppl are doing... idontevenknow....
http://monkeyserver.com --- weeeeee
This seems like this could be a new method of supporting wireless keyboards. No battery required!
Place clever sig here
Well, while hitting the keys harder or softer may make little difference (note that the frequency is captured), doing weird tricks like
US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
To pick up one of these babies... C'mon, it's like $400, I need to grab at any justification I can find!
-- The unsig...
Anyhow, the coordinator of the group would report the status of the group to the outside via computer. However there was only one computer and she typed on the keyboard by setting her hands under a shelf that masked the users typing. There was no screen. She simply made her notes, requests, etc by typing blindly on that keyboard.
At an old networking facility I worked at we had a similar system in place to enter the server room, there was a keypad set into the wall next to the door and in order to enter your code for entry you had to place your hand inside the little 4X4 box that masked/overlayed the keypad. Add in the background noise from the HVAC systems outside the room and we pretty much had/have a secured system.
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
Wait, there is a theory that with $200 of equipment, you can get 80% accuracy on this. Is there any reason why this is still just a theory? Can anyone scrap together the $200 to test this theory?
If only science weren't so expensive. Imagine how many other theories we could test if we could somehow get our hands on $500!
Finkployd
I don't type my passwords. I use voice recognition software and just say them. No clicks to overhear baby!!!
Doh
Can you say "tinfoil hat" ?
So, each key on a membrane keyboard makes a unique sound? I HOPE they try to patent this technology ... that is just SO obvious ... but is it practical in application?
... background noise! Better be some damned high-value information you're after bucko!
... also obvious ... that's why they are labelled "TD" and "RD"! Also easily defeated by simple piece of black tape.
Eighty percent accuracy after "voiceprinting" each key thirty times and using neural nets to arrive at an abstract sound signature for each key? Of course, the simple expedient of changing keyboards will defeat that. Or by the other obvious antidote
Blinking lights on a modem can be decoded to yield the byte values sent and received? DUH
Sleep well tonight, your AFDB Brigade is on duty and alert!
utter rubbish
I had this teacher who also did some network consulting. He told us of a case where he knew somebody was logging on at a client's site using his password, but he couldn't figure out how his password was being hacked. He noticed that whenever he was logging in, a particular secretary used to hang around. He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.
more about me
As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.
Good thing the whole future of "speech recognition" didn't pan out. Oh those silly Star Trek episodes, everyone can hear when Picard announces his secret password to everyone!
Like Teddy with an elephant gun.
For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?
In other news: hackers can connect to the internet by whistling into the phone.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
This is old news. Ever see the movie Sneakers from 1992?
My Model M doesn't have a rubber membrane so I'm not worried. Then again you don't need a microphone to hear me typing on it. My neighbours can hear me typing. If someone were to stick a microphone up to it I'd be interested to know how much of their hearing they'd retain.
Support the First Amendment. Read at -1
Type in a bunch of random letters, or even a fake password then hold the backspace key down. That will only make sound once and you can have multiple deletes confusing the listener.
The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.
If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.
So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.
Who is Twirlip of the Mists?
Now I know that I should have saved my Atari 400. With that flat quiet keyboard, no one would be able to snoop on my typing. Of course, I'd have carpal tunnel so bad I couldn't pick up a spoon...
-- Fugacity: Confusing chemists since 1908
Ummm... so the "attacker" has to have access to your machine for a significant amount of time to train it on each key. I'm not too concerned. To have this kind of access they must also have uninterrupted physical access for a long enough to make a hidden software attack.
"Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."
Anybody who saw the episode of the CBS evening buddy-cop-drama "Due South: A Hawk and a Handsaw" knows that you don't need any special equipment. Just get a Canadian Mountie, have him listen to a nurse while she types in her password, and after several tries, the Mountie will be able to reproduce the password based solely on the sound of the clicks... Results are even better if the password is typed in to the tune of "I've been working on the railroad.".
Passwords are a poor security mechanism anyway. We really need to press the industry to move on in this field.
Of course, a whole lot of this is just theory.
Of course, in theory:
- the earth is spherical in shape
- the earth revolves around the sun
- we evolved from lower species
- energy equals mass times the speed of light squared
My car gets 40 rods to the hogshead, and that's the way I likes it!
what, you guys don't use a binary keyboard? 99 less keys to break.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
i mean, if someone wants to spy on your keystrokes they could install one of those $20 keycatcher thingies, freeware keyboard capture software, network snifers, or just look over your shoulder.
what kind of idiot would use a mic, and have to use neural nets to analyze the recording?
i wonder how many hours that guy flushed doing this study.
it would have been arguably more useful if he could determine what someone ate the night before by the sound of the splash.
I stopped typing passwords a long time ago, because I use Factotum
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Not really, and I will believe they can do it with modems at any speed faster than 2400 baud when I can see it. Something tells me that the rise/fall speed on LEDs isn't anywhere near 50KHz (50,000 up and down cycles per second, for the 56k connections they claim to do) and remember that modems use both amplitude modulation and frequency modulation in order to compress linear (binary) data into a three dimensional (amplitude, frequency, time) audio object on anything faster than v.22 (ie, v.22bis or faster - that's 2400 baud for you youngsters.) Trust me, I'm a toothpick counting, blackjack cheating, KMart underware wearing certified RainMan that spent hours in front of a 300 baud modem watching those lights and if it can be done, I would have done it. The lights indicate traffic, but they don't blink at the 'bit' level, esp at the speeds they are claiming.
Glonoinha the MebiByte Slayer
I'm afraid you're incorrect to say playing background noise would help. General background noise - even completely randomised white noise - won't be a problem for an incredibly sensitive microphone. Decent (OK, incredibly expensive) rifle mics are exceedingly directional, eliminating any noise from the sides.
If you were to train a rifle mic direct at a keyboard from say, 20 metres away in a very busy work environment you could easily pick it up. You can also use a basic 32 band EQ to remove most noise outside of the keyboard clicking frequency.
Background noise isn't really a problem - it's truly amazing what you can do with the correct equipment. For example, the USSR bugged a US embassy by donating an wall mounted American seal. It was sweeped for bugs, and nothing found. This was because there wasn't actually a bug in there - just a simple thin wire, that would vibrate with speech. The USSR then used a highly directional microphone across the street trained at the seal. They were then able to take the vibrations of the wire, and enhance them into speech.
And that was around 20 years ago, long before the sound digital enhancement techniques of today.
So I'll sleep well, but in the knowledge that background noise ain't going to help me that much. To stop keyboard noises the noise would have to be so loud you probably wouldn't be able to work anyway.
About ten years ago, I worked at a defense contractor. We had a project to identify aircraft based on the microphone clicks from their transmissions. As it turns out, radios from the same make and model have unique RF ramp up and cut off patterns. This allows you to identify a particular transmitter based on its transients.
The details of the project were classified, but I will say that, even ten years ago, the results were impressive.
Ha, ha! Nobody ever says Italy.
The difference between theory and practice is, in theory, there is no difference between theory and practice, but in practice, there is.
Anonymous Kev
Proudly posting as AC since 1997
(Finally got a dang account in 2004)
One minor problem with this scheme is that most of "today's" computer keyboards don't use rubber membranes. They use two sheets of plastic with conductive tracing printed on them, separated by a third sheet of plastic with holes. The keypress pushes the contact on the top sheet through the hole to touch the contact on the bottom sheet. Hardly any keyboards use the collapsing rubber domes because they're much more expensive that a few sheets of plastic.
So what's next? A scheme to read telegraph signals off Western Union's lines? A device that can tell what I'm watching on a zoetrope by reading analyzing flickering light?
If a job's not worth doing, it's not worth doing right.
This directly brings up a question I've been pondering for a while now...
Why in the hell is it that people are willing to pay hundreds of dollars extra to quiet the noise of the fans in their computers, yet many still want noisy keyboards?
It's as if a construction worker, who is jack-hammering outside your house, comes over and asks you to turn down your stereo... It really just makes no sense to me...
Personally, I've spent time, effort, and a moderate ammount of money to quiet the noise of the fans in my computers, but I've also spent money on getting much smaller, softer, faster and quieter keyboards. The noise of a keyboard doesn't appeal to me, any more than the noise of a loud fan does.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Here's my problem:
Statement 1: "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy."
Statement 2: "Of course, a whole lot of this is just theory."
My Statement: No, only one of those statements can be true
Just about everything is sensitive to attacks like this. Someone on your telephone pole can listen to your phone conversations. Someone with a bug can listen to conversations in a room. Someone monitoring internet traffic can monitor your website usage. A monitor in your car can track your movements. There are a lot bigger problems than someone listening to keyboard clicks, IMO. Make it illegal and be done with it. -Sean
Laboratree - Scientific collaboration based on OpenSocial.
Different pairs of keys have different timings, so just looking at the timing difference gives you quite a bit of information. There's even a paper about this phenomenon which gives some numbers. It focuses on sniffing the network traffic, but the results should also apply for data that is gather accoustically.
Here are a few people who can do it without fancy technology: 3 Blind Phreakers
Just because you can't do something doesn't mean someone else can or can't
smartcard with a PIN number
somewhere a kitten just died.
Yes, I've seen a simplified design.
[ 3 or 7 or 9 or 6 or 0] [ 5 or 1 or 2 or 0 or 8 or 4 ] [ I'm feeling lucky! ]
Its just as well I use my mouse to click on porn.....
My hyperlinks aren't worth the paper they're printed on.