How students discovered a new way of stealing data using a regular keyboard
There once was a professor who enjoyed giving his students unusual tasks. Sometimes he would come to class and ask students to clap with one hand, other times he would ask them to convert volts to amps, or he would challenge them to figure out which glass doesn’t hold water.
This time he came to the lecture, placed an ordinary computer in front of the students, turned off the lights, and in absolute darkness typed a password on the keyboard, then asked the students to guess it.
The students enthusiastically accepted this challenge and divided into two groups. One group said they would easily guess the password because they knew the professor well. The second group said they would easily guess the password because they knew the keyboard well.
Both of these solutions — life-based and technological — are presented below. Which of these solutions seems most elegant to you, and which will make you tremble with fear, you decide.
The group of students who knew the professor’s character well decided to rely on the human factor. The students knew their teacher’s date of birth and assumed he might use it as a password.
When the date of birth as a password didn’t work, the students remembered that the professor had written many scientific papers, but he was particularly proud of one and often talked about writing it in the city of Galt. The students tried the option “Galt,” but it also turned out to be incorrect.
Then the students thought the professor might use his dog’s name Linda as a password and typed in “Linda,” but even this password didn’t work.
Then someone suggested using the professor’s Facebook page to find the necessary information. Through the social network, students saw some significant dates for the professor, his food preferences, favorite books and quotes, TV shows, and even houseplants. As a password, the students decided to use everything they found on social networks, but this also didn’t help decipher the password.
When the students decided to solve the password puzzle at all costs, one of them shared information that the professor had once given him the password to his university network account so the student could sort his emails into important and unimportant ones.
It would be logical to assume that this password would be the one the professor had set. But even then, the students were disappointed — they didn’t guess the password.
So, knowing the professor’s account, the students logged into the university network under his name, pretended to forget the password, and used the password recovery system… but this was no longer a usual-life solution.
Another group of students, who decided to use a technological solution, knew that the professor never leaves traces on the internet and always uses a password generator, so they won’t be able to solve the problem and guess the correct password by simply trying different options.
So the group of students decided to start from the fact that each key on the keyboard has its own unique sound, which depends on the letter’s position on the layout and other factors.
They placed a smartphone with a new model of artificial intelligence next to the laptop on which they were typing text. Day and night, students typed texts of different lengths, typed fast and slow, intentionally made mistakes, and sometimes even one of the students managed to type with one finger of the left hand. Meanwhile, the built-in microphone listened to the keystrokes on the MacBook Pro — and, despite all the complexities, reproduced them with 95% accuracy.
The artificial intelligence captured all the details — the wave form, intensity, and timing of each keystroke. It took into account typing speed, typos, and timing between keystrokes. If a student pressed one key a fraction of a second later than others because it was further away, the AI instantly memorized and learned it. After a while, the artificial intelligence learned to register keystrokes by sound and even identify the user by their unique keyboard signature.
After that, the team of students also checked the accuracy of training the artificial intelligence model during messaging each other through Zoom, the AI reproduced keystrokes with 93% accuracy. When students exchanged messages via Skype, the model was accurate to 91.7%.
It took exactly 2 months for the students to teach the artificial intelligence to almost 100% accurately reproduce everything that was written by the user, without even seeing them, and exactly one listening session was needed for the artificial intelligence to learn the correct password based on the sound of the keys on the professor’s keyboard.
If students have learned to do this, then undoubtedly, similar technologies exist among criminals.
For example, researchers from Cornell University discovered a new way to steal your data — through the sounds of keystrokes. Their document describes in detail an AI-based attack that can steal passwords with up to 95% accuracy by listening to what you type on the keyboard.
Researchers warn that creating such a password thief is relatively simple now. According to them, this attack can take the form of malware installed on your phone or other microphone-equipped device, even located in your room. It just needs to collect data on your keystrokes and pass them to the AI model, listening through the microphone.
Even if you work from home and the likelihood of someone nearby turning on the microphone is quite low, this type of espionage is still alarming, as it gives spies another way to access your password. They no longer need to directly read inputs from your keyboard; they just need to find a way to hear the sounds of your keyboard through any microphone and match it with the moment when you logged into your banking or any other corporate application.
Before you toss out your loud mechanical keyboard in fear, it’s worth noting that the loudness of the keyboard does not affect the accuracy of the attack on your passwords. However, there are still several ways to mitigate this.
- Firstly, you can avoid typing passwords altogether and use features like Windows Hello and Touch ID instead.
- You can also use a good password manager that enters passwords for you and allows you to generate random passwords for all your accounts.
- You can use utilities like Unclack (for macOS) and Hushboard, which automatically mute the microphone while typing on the keyboard. Besides security purposes, they also serve a more mundane function — automatically eliminating background noise (“clacking”) during video/audio conferences.
- You can constantly switch layouts, even though it may affect your productivity.
Likely, the more popular the keyboard or device with a built-in keyboard, the more accurately AI will guess the passwords typed on it. Students and researchers wisely chose a MacBook Pro keyboard for their experiments, not just randomly. However, if you have the cheapest mass-market keyboard for a couple of dollars and tens of thousands of such keyboards are used worldwide, it’s unlikely that anyone would be interested in training AI on the sounds of your specific model. Especially considering the profile of someone who economizes even on a keyboard.