This new attack uses the sound of your keystrokes to steal your passwords
Who is listening to you type?
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Two researchers from Augusta University, in Georgia, U.S., demonstrated a novel way to steal people’s passwords that would put even James Bond to shame.
Alireza Taheritajar and Reza Rahaeimehr published a paper called “Acoustic Side Channel Attack on Keyboards Based on Typing Patterns” which is just as weird as it sounds.
According to the research, there is a way to deduce a person’s password (or any other word that’s typed into a computer) by simply listening to them type.
Is it feasible?
The method is not as accurate as some other side channel attacks, as the researchers suggested the accuracy of this attack is around 43%. To pull it off, all the attackers would need is a relatively small sample of the victim’s typing (just a few seconds, apparently), but would need more than one recording.
Furthermore, they would need an English dictionary. The mitigating circumstance here is that the recording doesn’t have to be particularly “clean”. It could have significant background noise, or come from multiple different keyboards, and still work.
In theory, a threat actor could place a smartphone, or a similar microphone-equipped device, in the relative vicinity of the victim and record them typing. From that recording, they would be able to establish certain patterns, which could then be used to determine potential words. The English dictionary would help to predict which words would make most sense in the context of the sentence.
While it sounds ominous, there are quite a few moving parts that need to align perfectly, for the attack to be pulled off.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
For one, the attacker needs to either be really close to the victim, have a recording device nearby (a smart speaker would suffice, apparently), or havemalwareinstalled that’s capable of leveraging the computer’s microphone. Then, the attacker needs to type in their password, as well as a bunch of other words.
They cannot be a professional typist, or be able to type fast in general, as that messes with the predictions. Then, the attackers can analyze the recordings and will still end up with just a 43% chance of success.
ViaBleeping Computer
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
