Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risk of Keyboard Clicks

Posted by simoniker on from the tap-tap-oops dept.

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

24 of 361 comments (clear)

  1. Great... by ebob9 · · Score: 5, Funny

    Now when I log in to my account at work, instead of just needing password, secureid, smartcard, fingerscan, eyescan, and a note from my mother, I'll also need to use an on-screen touch-screen keyboard!

    Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...

    1. Re:Great... by orangesquid · · Score: 4, Interesting

      Nah. Think about it: pressing different spots of your screen is like pressing down a guitar string at different points. You will cause the screen to resonate with a multitude of frequencies with distinct audio "fingerprints" for different points on the screen, which can also be picked up by very sensitive equipment.

      Sorry.

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    2. Re:Great... by kinema · · Score: 5, Insightful

      Of course you could just have the software randomize the location of the numbers each time.

    3. Re:Great... by orangesquid · · Score: 4, Funny

      True. But you could also read the screen via Tempest-like technology!

      It seems that no matter what you do, we'll be screwed anyway. We might as well go to a trust-based system. How about everybody just changes all their passwords to 'secret'?

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    4. Re:Great... by Aglassis · · Score: 4, Interesting

      The problem can be solved easy enough with a numeric keypad. Place seven-segment displays under the keys that are randomly orientated, like
      7 5 2
      4 3 1
      0 9 6
      8
      This solves the problem for ATMs. If you dim the LEDs and polarize the light, you would make it more difficult for a camera to find the password also. Obviously this only applies to a numeric keypad (for ATMs and the like) since it would be a pain in the ass to change the lettering dynamically on a keyboard (at least for the user). The solutions for those using keyboards could be as simple as using a smartcard with a PIN number (which you enter on the randomized 10 digit display). The sooner we get rid of the biggest security risk on computers IMHO (guessable passwords) the better.

      --
      Suddenly, the hairy finger of a familiar monkey tapped me on the shoulder. It was time.--G. T.
    5. Re:Great... by MadBiologist · · Score: 5, Funny
      Darn.... now I'm gonna have to change my password.

      First somebody gives away the 12345, now secret.

      Sheesh.. What's this world coming too?

      -J-

      --
      'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
    6. Re:Great... by evil-osm · · Score: 4, Funny

      or you can just look for the smudge marks...

      --


      E.

      Never rub another man's rhubarb - The Joker
    7. Re:Great... by gUmbi · · Score: 4, Interesting

      Of course you could just have the software randomize the location of the numbers each time.

      I came across this type of device when entering a bank building. You had to enter a 6-digit code into a keypad to unlock the door. Each key was a tiny LCD display and the location of each digit was randomized for each use.

    8. Re:Great... by jdreed1024 · · Score: 4, Informative
      Those already exist. They're called "scramble pads". We had one on the server room where I used to work. You press "start", and it displays the numbers in LEDs under the keys, and you enter the code. Every time you press start, the numbers are in a different position. And you can barely read them when staring right at the pad, let alone from the side.

      Of course, it took about 5 times longer to get in than with a key or swipe card (since the code was 8 numbers), but there's always a trade-off.

      here's a picutre of one.

      --
      There is no sig, there is only Zuul.
  2. low~ by Leffe · · Score: 5, Informative
    The site was really slow, so I copied the article:


    OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

    Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

    All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

    Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC runninG standard neural netwOrking softwAre, he could decipher the keys with an 80% accuracy raTe. He was also able to train the SoftwarE on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

    Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

    "But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

    However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

    Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.


    Yeah, I put a surprise in there too ;)
  3. "Of course, a whole lot of this is just theory." by REBloomfield · · Score: 4, Funny

    Sounds like bollocks to me. The amount of crumbs under my keys, I'd be mighty impressed if you got anything intelligble.

  4. Security risks by NETHED · · Score: 5, Insightful

    You know, I don't care.

    Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.

    So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.

    And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.

    I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.

    --
    --sig fault--
    1. Re:Security risks by the_mad_poster · · Score: 5, Funny

      Anywho, my girlfriend just yelled at me so I needed to vent.

      Huh? Quit making up words!

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  5. 80% accuracy can be useless... or not by shoppa · · Score: 4, Interesting
    80% accuracy is far from perfect. For instance, an OCR application that returned only 80% accuracy would probably be rejected by the vast majority of users, as this means hundreds of errors to be corrected per page.

    OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.

  6. This is easy to overcome by JosKarith · · Score: 4, Funny

    Al you have to do is install voice-recognition software, then train it to only understand you when you speak in a broad Glaswegian accent.
    Thereby ensuring NOBODY's going to be able to decipher a word you're saying.

    --
    'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
  7. Huh by finkployd · · Score: 4, Funny

    Wait, there is a theory that with $200 of equipment, you can get 80% accuracy on this. Is there any reason why this is still just a theory? Can anyone scrap together the $200 to test this theory?

    If only science weren't so expensive. Imagine how many other theories we could test if we could somehow get our hands on $500!

    Finkployd

  8. will never break my password by GarbanzoBean · · Score: 4, Funny

    I don't type my passwords. I use voice recognition software and just say them. No clicks to overhear baby!!!

    Doh

  9. Can be done by ear as well by shamir_k · · Score: 4, Interesting

    I had this teacher who also did some network consulting. He told us of a case where he knew somebody was logging on at a client's site using his password, but he couldn't figure out how his password was being hacked. He noticed that whenever he was logging in, a particular secretary used to hang around. He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

    --
    more about me
  10. IT professionals: don't ignore this by jrm228 · · Score: 5, Interesting
    It's easy to dismiss this right out, but for people who follow the intelligence industry this isn't new. Spooks can already listen to conversations through windows with lasers that measure vibration, and use filter technology to eliminate relatively constant background noise (e.g. a shower running). Combine that with some keyboard listening technology that's been in development for a long time: (see BBC 2001 reference) and suddenly IT security becomes a lot more interesting.

    As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.

  11. This technology was bound to emerge by Handover+Slashdot · · Score: 5, Interesting

    For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?

  12. In other news: by Big+Nothing · · Score: 4, Funny

    In other news: hackers can connect to the internet by whistling into the phone.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
  13. Fear and Paranoia Abound by List+of+FAILURES · · Score: 5, Insightful

    The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.

    If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.

    So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.

    --
    Who is Twirlip of the Mists?
  14. easy fix. by dj245 · · Score: 4, Funny

    what, you guys don't use a binary keyboard? 99 less keys to break.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  15. Re:"Of course, a whole lot of this is just theory. by Discoflamingo13 · · Score: 5, Insightful

    Here's my problem:

    Statement 1: "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy."

    Statement 2: "Of course, a whole lot of this is just theory."

    My Statement: No, only one of those statements can be true