Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risk of Keyboard Clicks

Posted by simoniker on from the tap-tap-oops dept.

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

10 of 361 comments (clear)

  1. Great... by ebob9 · · Score: 5, Funny

    Now when I log in to my account at work, instead of just needing password, secureid, smartcard, fingerscan, eyescan, and a note from my mother, I'll also need to use an on-screen touch-screen keyboard!

    Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...

    1. Re:Great... by kinema · · Score: 5, Insightful

      Of course you could just have the software randomize the location of the numbers each time.

    2. Re:Great... by MadBiologist · · Score: 5, Funny
      Darn.... now I'm gonna have to change my password.

      First somebody gives away the 12345, now secret.

      Sheesh.. What's this world coming too?

      -J-

      --
      'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
  2. low~ by Leffe · · Score: 5, Informative
    The site was really slow, so I copied the article:


    OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

    Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

    All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

    Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC runninG standard neural netwOrking softwAre, he could decipher the keys with an 80% accuracy raTe. He was also able to train the SoftwarE on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

    Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

    "But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

    However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

    Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.


    Yeah, I put a surprise in there too ;)
  3. Security risks by NETHED · · Score: 5, Insightful

    You know, I don't care.

    Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.

    So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.

    And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.

    I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.

    --
    --sig fault--
    1. Re:Security risks by the_mad_poster · · Score: 5, Funny

      Anywho, my girlfriend just yelled at me so I needed to vent.

      Huh? Quit making up words!

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  4. IT professionals: don't ignore this by jrm228 · · Score: 5, Interesting
    It's easy to dismiss this right out, but for people who follow the intelligence industry this isn't new. Spooks can already listen to conversations through windows with lasers that measure vibration, and use filter technology to eliminate relatively constant background noise (e.g. a shower running). Combine that with some keyboard listening technology that's been in development for a long time: (see BBC 2001 reference) and suddenly IT security becomes a lot more interesting.

    As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.

  5. This technology was bound to emerge by Handover+Slashdot · · Score: 5, Interesting

    For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?

  6. Fear and Paranoia Abound by List+of+FAILURES · · Score: 5, Insightful

    The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.

    If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.

    So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.

    --
    Who is Twirlip of the Mists?
  7. Re:"Of course, a whole lot of this is just theory. by Discoflamingo13 · · Score: 5, Insightful

    Here's my problem:

    Statement 1: "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy."

    Statement 2: "Of course, a whole lot of this is just theory."

    My Statement: No, only one of those statements can be true