Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keyboard Sound Aids Password Cracking

Posted by CmdrTaco on from the but-i-love-clicky-keyboards dept.

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

13 of 389 comments (clear)

  1. Redbox for keyboards now? by otomoton · · Score: 5, Interesting

    Does this mean that instead of keystroke loggers, spyware is now going to monitor our microphone input? This almost sounds like something out of a bad 80's movie.

    1. Re:Redbox for keyboards now? by o7400 · · Score: 5, Funny

      That's it. From now on, whenever I'm typing a password I'm going to scream at the top of my lungs. How about that stopid password stealers!?

    2. Re:Redbox for keyboards now? by TripMaster+Monkey · · Score: 5, Funny


      Spyware attempting to hash out your keystrokes by listening to the keypresses instead of grabbing the strokes directly is a bit like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    3. Re:Redbox for keyboards now? by cei · · Score: 5, Interesting

      Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment. It's interesting to me when meta content becomes content in its own right... if the lights of the EQ become just as valid a form of expression as the sounds driving them.

      --
      This sig intentionally left justified.
  2. Keyboard specific? by markass530 · · Score: 5, Insightful

    I'd have a hard time believing this method transcends all keyboard models, and all typists.

  3. applicability? by MooseTick · · Score: 5, Insightful

    If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

    --
    Ninjas don't carry tic tacs
    1. Re:applicability? by TripMaster+Monkey · · Score: 5, Insightful


      How about a parabolic or shotgun mike?

      --
      ____

      ~ |rip/\/\aster /\/\onkey

  4. It's a good thing... by Nuclear+Elephant · · Score: 5, Funny

    ... that my voice is my passport.

  5. As the article says: by tabkey12 · · Score: 5, Insightful

    It just goes to show that when you have physical access to a computer, the security's already broken...

    --
    Get a free iPod Nano 4GB!
  6. WARNING by JamesD_UK · · Score: 5, Funny

    Security experts recommend you don't speak the name of the key you're hunting for as you type your password with a single finger.

  7. Great... by crc32 · · Score: 5, Funny

    Now I'll need tinfoil wallpaper too, time to go to Cosco...

    --
    "In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos
  8. I think so by the_mighty_$ · · Score: 5, Interesting

    This technique must be usable on most keyboards, because judging from this the FBI sometimes uses (or has used in the past) this technique. From the page:

    Audio surveillance. This method is a variation of Attack #4. FBI technicians install an audio bug near your computer. The sounds generated by the keyboard can be analyzed. By comparing these sounds with the noises made during generation of a known piece of text, the FBI can often deduce your passphrase - or come so close that only a few characters need to be guessed.

    Oh and by the way, that page was written in 1998, so these UC-Berkley students (and the /. editors) are about 7 years slow.

    --
    VI VI VI - the editor of the beast!
  9. Don't panic by ezweave · · Score: 5, Interesting

    While it is an interesting topic, controlled conditions are required for this to work correctly.

    They use a deterministic method to find the next probable character for a given sequence. Deterministic in that if I type 't' and then type 'h' and there are only so many combinations available after that (this is the Markov chain part). Er basically a sort of decision coverage. That is used with the spell check dictionaries they mention for English text recognition. It is interesting too that they are using a neural network (though appropriate) to recognize the patterns. But because they did not make their own, the details are a bit brief.

    The problem I see is that the password detection is not flushed out enough and based upon what they state, it is not as powerful as it sounds. The deterministic method won't work for all passwords (as they typically are not English). Their "analysis" is basically a speed up on a dictionary hack (it helps to know the size of the password from the keystrokes), eliminating possibilities by way of possible patterns. But what about special characters, does a shift+key sound that different? Mixed cases, etc? And the deterministic approach does not work if the password is random AND the network has to be trained for THAT persons typing style and keyboard. Is that likely?

    I would be more worried about Van Eck Phreaking.