A noisy, clicky-clacky keyboard is the joy of (at least some) mechanical keyboard fans. But you might want to rethink that position, if the murderous glares of your family and coworkers aren’t enough to convince you already. A team of security researchers in the UK has created a system that can listen to your keystrokes and record exactly what you’re typing — even over a web conferencing app like Zoom.
To be clear, this isn’t an active threat “in the wild,” more of a proof of concept so that security managers can be aware of a potential danger. Researchers from Durham University, University of Surrey, and Royal Holloway University of London (PDF link) developed a two-step process: recording a selection of keystrokes from a specific keyboard via a compromised vector, like a smartphone loaded with targeted malware, then using those recordings to “train” an algorithm to determine the audible differences in the sound each individual key on the keyboard makes.
Put that data through an analysis program and you can “hear” what’s being typed with up to 95 percent accuracy. That’s via the local smartphone method — recordings made through Zoom and Skype were “just” 93 percent and 91.7 percent accurate, respectively.
For the tests the team used a MacBook Pro and an iPhone as the initial recording point, though the system was limited to just 36 keys, the primary letter and number keys. According to Bleeping Computer, the training system needed to “hear” each key pressed 25 times in a row in order to create a reliable training system, and it also needed the input of the keys in the form of the text being typed. After that, it was able to transcribe what was being typed based on audio alone. That means a system to replicate these results in the real world would probably need a lot more input in order to develop a reliable model; You don’t use the Z or X keys as often as E and A, for example.
Key noise reduction doesn’t seem like a valid mitigation option, since laptop keys are about as quiet as it gets already. The researchers encourage those who want to protect themselves against this kind of attack use randomized passwords — a 20-character password with lots of uppercase letters and special characters would be sufficiently complex to prevent an automatic detection with a 95 percent accurate system. One of the best password manager programs might be helpful if you’re looking to keep your info safe.