Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keyboard Sound Aids Password Cracking

Posted by CmdrTaco on from the but-i-love-clicky-keyboards dept.

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

38 of 389 comments (clear)

  1. My Luggage by Valiss · · Score: 4, Funny

    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'

    Looks like you're screwed because my luggage password is 5 digits long, but all digits are numbers in a sequential order starting with one. Ha ha!

    --

    -Valiss
    1. Re:My Luggage by loimprevisto · · Score: 4, Funny

      What? 1,2,3,4,5? Only an moron would use that combination for their luggage!

      --
      Much Madness is divinest Sense --
      To a discerning Eye --
      Much Sense -- the starkest Madness
    2. Re:My Luggage by Rick.C · · Score: 4, Funny
      What? 1,2,3,4,5? Only an moron would use that combination for their luggage!

      Shhhh! That's not the combination he set - that's the TSA's "back-door" combo.

      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
    3. Re:My Luggage by isometrick · · Score: 3, Informative

      I suspect it is (in reality) much higher than that, given the password/key/combo choosing standards of the general public.

      Don't assume that each possibility is equally likely . :)

  2. Redbox for keyboards now? by otomoton · · Score: 5, Interesting

    Does this mean that instead of keystroke loggers, spyware is now going to monitor our microphone input? This almost sounds like something out of a bad 80's movie.

    1. Re:Redbox for keyboards now? by o7400 · · Score: 5, Funny

      That's it. From now on, whenever I'm typing a password I'm going to scream at the top of my lungs. How about that stopid password stealers!?

    2. Re:Redbox for keyboards now? by TripMaster+Monkey · · Score: 5, Funny


      Spyware attempting to hash out your keystrokes by listening to the keypresses instead of grabbing the strokes directly is a bit like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    3. Re:Redbox for keyboards now? by Enigma_Man · · Score: 4, Interesting

      That's exactly what this article is about though... They can get your keystrokes with 96% accuracy just by listening to them over a period of time.

      So, theoretically, yes; malware could listen to microphone input of you typing and work it backwards into key logging. If spyware's already on your system though, it'd be easier just to log the keys in the system. But you could figure out what someone else is typing just by recording it.

      -Jesse

      --
      Nothing says "unprofessional job" like wrinkles in your duct tape.
    4. Re:Redbox for keyboards now? by TheViciousOverWind · · Score: 3, Funny

      You have no idea how good it feels when you finally 'hear' the music just by watching the lights...

      Why don't you volunteer for a charity? It sounds like you have enough time on your hands to save the world singlehandedly.

      --
      My <1000 UID is with a hot chick
    5. Re:Redbox for keyboards now? by cei · · Score: 5, Interesting

      Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment. It's interesting to me when meta content becomes content in its own right... if the lights of the EQ become just as valid a form of expression as the sounds driving them.

      --
      This sig intentionally left justified.
    6. Re:Redbox for keyboards now? by avronius · · Score: 3, Funny

      Some potential titles for the afore mentioned 80's movie:
      "Remix Of The Killer Tomatoes"
      "Return Of The Password Snatchers"
      "They Listened from Within"
      "Buffy The Keystroke Logger" (not quite on-topic)
      "I Know What You Typed Last Summer"
      "Eavesdropper"
      "The Computers Have Ears"

      The unrelated horror film we're most likely to see?
      "The Blog" - with Steve McQueen re-animated to reprise his role as "Steve Andrews"
      Genre: Horror / Sci-Fi / Comedy
      Tagline: Indescribable... Indestructible! Nothing Can Stop It!
      Plot Outline: An inane personal web log consumes all bandwidth in its path as it grows and grows.

    7. Re:Redbox for keyboards now? by Daniel_Staal · · Score: 4, Funny
      Why don't you volunteer for a charity? It sounds like you have enough time on your hands to save the world singlehandedly.

      I am now out of college.

      --
      'Sensible' is a curse word.
    8. Re:Redbox for keyboards now? by gi-tux · · Score: 3, Interesting

      When I first saw the headline, I thought that maybe they were doing time analysis on the keystrokes to guess the fingers used and which row on the keyboard. If that were the case, I would just type my password using a couple of fingers and do some very accurate timing (given I used to be a drummer, I can get pretty accurate) an that would throw them off.

      However, this is a little harder, I have to hit each and every key so that it makes exactly the same sound. This is extremely difficult because even if I use exactly the same pressure and exactly the same stroke on every key, then the spring might be different, or the switch might be slightly different on a few keys and still give hints.

      I think that the best defense is to learn to type at about 1200 words per minutes (100 characters per second) so that the sound is just one constant stream and they would be incapable of breaking it down. Like the German "zip gun" from WWII, the MG-42 which fired around 1200-1300 rounds per minute and sounded like a zipper to the Allied soldiers. The constant short zip sounds also made it difficult to locate the gun when in cover.

      --
      I have no sig, does anyone have one to spare?
  3. Keyboard specific? by markass530 · · Score: 5, Insightful

    I'd have a hard time believing this method transcends all keyboard models, and all typists.

    1. Re:Keyboard specific? by aardvarkjoe · · Score: 3, Funny
      I will defeat this by entering my password in Morse code.

      Oh, crap.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:Keyboard specific? by Opie812 · · Score: 3, Funny

      on

      --
      I'm not a nerd. Nerds are smart.
  4. applicability? by MooseTick · · Score: 5, Insightful

    If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

    --
    Ninjas don't carry tic tacs
    1. Re:applicability? by TripMaster+Monkey · · Score: 5, Insightful


      How about a parabolic or shotgun mike?

      --
      ____

      ~ |rip/\/\aster /\/\onkey

  5. Another old fashioned way to get passwords w audio by xxxJonBoyxxx · · Score: 3, Funny

    Another old fashioned way to get passwords w audio: Just tap the "help desk" phone line.

  6. It's a good thing... by Nuclear+Elephant · · Score: 5, Funny

    ... that my voice is my passport.

  7. 75 attempts? by jlower · · Score: 4, Insightful

    '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.
    All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

    1. Re:75 attempts? by sammy+baby · · Score: 4, Insightful

      Plenty of them. Implementing a lockout out of X number of bad attempts can open you up to some hairy denial of service attacks. Want to lock out a user for a few hours? Just fail to login as that person 5 times.

      Not to say that the alternatives don't have their weaknesses, but this one certainly does as well.

    2. Re:75 attempts? by papasui · · Score: 4, Interesting

      This is exactly how I exploited a Novell network while in high school.. I wrote a keystroke logger and then intentionally entered my own password wrong serveral times until I was locked out. I called the Sysadmin over and he logged in on the computer and reset my password. I then pulled his password from the logger and made my own sysadmin account 'jdoe'.

  8. As the article says: by tabkey12 · · Score: 5, Insightful

    It just goes to show that when you have physical access to a computer, the security's already broken...

    --
    Get a free iPod Nano 4GB!
  9. WARNING by JamesD_UK · · Score: 5, Funny

    Security experts recommend you don't speak the name of the key you're hunting for as you type your password with a single finger.

  10. Great... by crc32 · · Score: 5, Funny

    Now I'll need tinfoil wallpaper too, time to go to Cosco...

    --
    "In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos
    1. Re:Great... by rtaylor · · Score: 4, Funny

      Now I'll need tinfoil wallpaper too, time to go to Cosco...

      Tinfoil was eliminated by the government and replaced with aluminum foil. Your wallpaper and hats only make you believe you're safe.

      --
      Rod Taylor
    2. Re:Great... by OzPeter · · Score: 4, Funny

      If you knew your world history you would know that it was an early 20th century right wing plot to get the US to use aluminum instead of the aluminium that the rest of the world uses.

      You see while aluminum looks and feels a lot like aluminium, it is actually a differant material, so much so that it cannot be used as a tinfoil hat replacement.

      Thus by duping the US citizens into believing that aluminum was just as good as aluminium (and more patriotic for the country), the government easily gained the capability of reading all of your thoughts, even when you thought they couldn't [*]

      As of now, the rest of English speaking world sits smuggly by wearing our aluminium foil hats, safe in the knowledge that our thoughts are secure.

      [*] Unfortunatley there was a side effect to being able to read the thoughts of everyone in the US. The summaries of such thoughts are used to brief the president in order to help him direct policy. But starting with the Shiny Shiny movements of the mid 80's suceeding presidents have slowly become paralysed by the thoughts of the mass population. This has come to a head with GWB being briefed hourly about how the population feels about JLo and Bennifer, while other, more important items are ignored.

      The only possible solution to this is to disband the remote thought readings, but when confronted with leftist radical ideas like this, the CIA/Industro-Military Complex reacts violently and labels such ideas as being the work of terrorists. (It should be noted that these people are known to have holdings of aluminium manufacturers in other countries, thus securing their *private* supply of aluminium foil hats).

      --
      I am Slashdot. Are you Slashdot as well?
  11. Use ASCII numerics, or pound the keyboard at login by ScentCone · · Score: 4, Interesting

    Honestly, I've always wondered about this. But then it occurs to be that you could type the ALT+Numeric equivalent of your password characters, just to throw off the bad guys. You know, ALT+100 = "d", etc. Or, just bang the drum slowly when entering the password - loud, thumpy keystrokes. Or put the keyboard in your lap momentarily to alter the acoustic signature.

    Or, don't worry. I mean, realistically, what are the odds of this crack actually happening in the non-ultra-spooky world? And once you're in that playground, it's biometrics, smartcards, etc., anyway, right?

    --
    Don't disappoint your bird dog. Go to the range.
  12. Agent x86 by Molina+the+Bofh · · Score: 4, Funny

    Be careful, chief. Lets type in the cone of silence.

    --

    -
    Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
  13. Re:Berkley != Berkeley by stinerman · · Score: 4, Informative

    It is actually a typo on my part, not caught by Taco. The paper in question is from the CS Dept of UC Berkeley.

  14. Re:Use ASCII numerics, or pound the keyboard at lo by Psykechan · · Score: 3, Insightful

    I use the Dvorak layout myself. It would help prevent this in two ways.

    1. The keystroke timing would be much different
    2. Constantly making errors which require much backspace pressing

  15. Been there, done that by coyote-san · · Score: 4, Interesting

    25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

    It wasn't anything fancy, just familiarity with the sound that keyboard made and the usual pauses as fingers move to various keys.

    I also used to be able to tell you what number was dialed from the touchtones.

    P.S. a college friend said that he would occasionally talk to others in morse code after a long duty shift when he was in the military. Forget the nonsense in the introductory material - anyone who really knows morse code and knows it fast hears it as words. It's not hard to take the final step and speak it like you hear it.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  16. I think so by the_mighty_$ · · Score: 5, Interesting

    This technique must be usable on most keyboards, because judging from this the FBI sometimes uses (or has used in the past) this technique. From the page:

    Audio surveillance. This method is a variation of Attack #4. FBI technicians install an audio bug near your computer. The sounds generated by the keyboard can be analyzed. By comparing these sounds with the noises made during generation of a known piece of text, the FBI can often deduce your passphrase - or come so close that only a few characters need to be guessed.

    Oh and by the way, that page was written in 1998, so these UC-Berkley students (and the /. editors) are about 7 years slow.

    --
    VI VI VI - the editor of the beast!
    1. Re:I think so by Anonymous Coward · · Score: 3, Informative

      These guys do it *without* the known piece of text though; as a statistician, I applaud them!

    2. Re:I think so by drew · · Score: 4, Informative

      Even without RTFA:
      The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously.
      (emphasis mine)

      They are acknowledging that what you describe has been possible for some time, but what they have been able to achieve different.

      --
      If I don't put anything here, will anyone recognize me anymore?
  17. Windows On Screen Keyboard by Hoi+Polloi · · Score: 4, Interesting

    If you use Windows you can also use osk.exe (On Screen Keyboard) to enter your password, this will allow you to bypass the keyboard completely. This also assumes that you have taken precautions against TEMPEST and CRT diffuse visible light monitoring.

    --
    It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
  18. Don't panic by ezweave · · Score: 5, Interesting

    While it is an interesting topic, controlled conditions are required for this to work correctly.

    They use a deterministic method to find the next probable character for a given sequence. Deterministic in that if I type 't' and then type 'h' and there are only so many combinations available after that (this is the Markov chain part). Er basically a sort of decision coverage. That is used with the spell check dictionaries they mention for English text recognition. It is interesting too that they are using a neural network (though appropriate) to recognize the patterns. But because they did not make their own, the details are a bit brief.

    The problem I see is that the password detection is not flushed out enough and based upon what they state, it is not as powerful as it sounds. The deterministic method won't work for all passwords (as they typically are not English). Their "analysis" is basically a speed up on a dictionary hack (it helps to know the size of the password from the keystrokes), eliminating possibilities by way of possible patterns. But what about special characters, does a shift+key sound that different? Mixed cases, etc? And the deterministic approach does not work if the password is random AND the network has to be trained for THAT persons typing style and keyboard. Is that likely?

    I would be more worried about Van Eck Phreaking.