A group of computer scientists have been able to train an AI deep learning model to recognize keystrokes with 95% accuracy.
This brings up the deeply troubling possibility of bad actors being able to do the same in order to steal passwords by merely recording the sound of keystrokes.
Such an attack is called a side-channel attack and does not require hackers to gain access to the victim’s device. It can be carried out by collecting signals being emitted by the targeted hardware.
As per the research conducted by Durham University, Royal Holloway University of London and University of Surrey researchers, when trained on keystrokes recorded by a nearby phone, the machine learning (ML) classifier achieved an accuracy of 95%.
When trained on keystrokes recorded using the video-conferencing software Zoom, it was able to reach an accuracy of 93%.
The researchers used an Apple MacBook Pro 16-inch (2021) with 16 GB of memory and the M1 Pro processor, notes ZDNet. They recorded the laptop’s keyboard clicks on an iPhone 13 Mini placed on a microfiber cloth about 7 inches away from the laptop as well as Zoom’s built-in recording function on the MacBook.
In both the types of experiments, 36 of the laptop’s keys were used, with each pressed 25 times in a row, varying in pressure and finger, and a single file containing all 25 presses.
Based on the success of the classifier at being able to identify the keys being pressed, the study shows that side channel attacks to steal passwords or sensitive data being typed can easily be executed using off-the-shelf equipment and algorithms.
Some of the suggested methods to mitigate the risk of such attacks currently include:
- Switching to touch typing.
- Varying your typing style.
- Using a mix of lower case and upper case alphabets, special characters and numbers for passwords.
- Enabling multi-factor authentication.
- And (for vendors) adding fake keystrokes to VoIP apps like Zoom or Skype.
