New Side-Channel Attack Recovers Data from Keyboard Sounds

By Ava McKinneyOnline Safety

New Side-Channel Attack Recovers Data from Keyboard Sounds

A group of researchers has developed an “acoustic side-channel attack” based on a deep learning model. This attack can be used to determine which keys are pressed by analyzing the sounds recorded by a nearby phone’s microphone. The accuracy of this method can reach up to 95%.

According to the researchers, the combination of machine learning, widely used microphones, and video calls could pose a significant threat to users. Laptops are especially at risk, as the sound of keystrokes can be easily recorded in quiet public places like coffee shops, libraries, or offices. Additionally, most laptops have standardized, non-modular keyboards, meaning different models may share similar acoustic profiles.

The study notes that keyboards could become an easily accessible attack vector because users typically don’t think to hide their typing sounds. “For example, people often hide their screens when entering passwords, but do little to conceal the sound of their keyboards,” the authors state.

For their experiments, the researchers used a 2021 MacBook Pro, which “has a keyboard identical in switch design to models from the past two years and possibly future ones.” To train the model on the waveforms associated with individual key presses, the researchers pressed each of 36 keys 25 times, applying different amounts of force and using different fingers.

In the first test, the sound of the keyboard was recorded using an iPhone 13 mini placed 17 cm from the laptop. In the second test, the recording was done via Zoom using the MacBook’s built-in microphones, with Zoom’s noise suppression set to the minimum level.

In both tests, the researchers achieved over 93% accuracy (with the phone recording reaching 95-96%). Skype, in comparison, produced a lower but still usable accuracy of 91.7%.

How to Protect Against Such Attacks

  • Change your typing style or switch to touch typing, which is less accurately recognized by the attack.
  • Use randomized passwords with mixed-case characters, as it can be difficult for the model to detect the “release peak” of the Shift key.
  • Add randomly generated fake keystrokes to the transmitted audio during video calls, though this “may make software use more difficult for the other party.”
  • Use biometrics, such as facial recognition or fingerprints, instead of passwords.

Leave a Reply