The Security Risk of Keyboard Clicks 361
Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."
Great... (Score:5, Funny)
Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...
Re:Great... (Score:5, Interesting)
Sorry.
Re:Great... (Score:5, Insightful)
Re:Great... (Score:5, Funny)
It seems that no matter what you do, we'll be screwed anyway. We might as well go to a trust-based system. How about everybody just changes all their passwords to 'secret'?
Re:Great... (Score:5, Funny)
First somebody gives away the 12345, now secret.
Sheesh.. What's this world coming too?
-J-
Re:Great... (Score:3, Funny)
Ah Spaceballs, what would we do without you?
Re:Great... (Score:3, Interesting)
Re:Great... (Score:3, Interesting)
Re:Great... (Score:3, Informative)
Re:Great... (Score:5, Interesting)
I came across this type of device when entering a bank building. You had to enter a 6-digit code into a keypad to unlock the door. Each key was a tiny LCD display and the location of each digit was randomized for each use.
Re:Great... (Score:5, Funny)
Re:Great... (Score:4, Interesting)
7 5 2
4 3 1
0 9 6
8
This solves the problem for ATMs. If you dim the LEDs and polarize the light, you would make it more difficult for a camera to find the password also. Obviously this only applies to a numeric keypad (for ATMs and the like) since it would be a pain in the ass to change the lettering dynamically on a keyboard (at least for the user). The solutions for those using keyboards could be as simple as using a smartcard with a PIN number (which you enter on the randomized 10 digit display). The sooner we get rid of the biggest security risk on computers IMHO (guessable passwords) the better.
Re:Great... (Score:3, Insightful)
Re:Great... (Score:2)
And the blind users tell what the randomized order is... how?
Through Braille, of course. I'm sure you have noticed that nearly all ATMs nowadays have Braille etched on the keypads. It'd probably be confusing at first, but they have to touch the keypad to enter their PIN anyway, so they'd figure it out sooner or later.
Re:Great... (Score:2)
Albeit, not much use for blind users perhaps - I'd presume thats why I haven't since such an approach used anywhere else.
Re:Great... (Score:5, Informative)
Of course, it took about 5 times longer to get in than with a key or swipe card (since the code was 8 numbers), but there's always a trade-off.
here's a picutre [semcorp.com] of one.
Oh, it hurts... (Score:3, Funny)
somewhere a kitten just died.
my bank's ATM's and Internet smart keyboards (Score:2)
Enter your PIN: [______]
[ 1 or 7 ] [ 3 or 9 ] [ 4 or 5 ] [ 6 or 8 ] [ 2 or 0 ]
and the numbers alternate positions randomly.
Re:Great... (Score:3, Interesting)
Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.
"This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov
All you have to do is stand by the ATM and press each key a few times to find out which one is making which noise.
Re:Great... (Score:2, Funny)
Now everyone will be able to know that I'm typing slashdot.org in my browser at work!!
Sheesh, if this is true, I may actually have to do something!!
Re:Great... (Score:2)
My solution. (Score:2)
Security is so easy.
How about... (Score:2)
Low tech thwarting of high tech snoopping.
Covering noise (Score:2, Interesting)
Re:Covering noise (Score:2, Funny)
Re:Covering noise (Score:3, Funny)
Are you trying to tell me I won't be secure until I get sound working in KDE? Crap.
Some people are more gifted than others (Score:2, Interesting)
It's pretty amazing when he demonstrates that.
low~ (Score:5, Informative)
Yeah, I put a surprise in there too
Sounds fishy (no pun intended) (Score:3, Interesting)
Well, while hitting the keys harder or softer may make little difference (note that the frequency is captured), doing weird tricks like
Re:Sounds fishy (no pun intended) (Score:3, Insightful)
It seems to me that the only way to defeat this is to modify or otherwise conceal the noise of te keyboard. But what would be the point of doing that? If someone has been able to plant a microphone sensitive enough to detect subtle differences i
Re:Sounds fishy (no pun intended) (Score:2)
Re:Sounds fishy (no pun intended) (Score:3, Interesting)
Then there's always the copy-and-paste method - copy characters off the screen and paste into the password window.
'scuse me, I'm low on aluminum foil.
Re:low~ (Score:2)
News just in from the Department Of Redundancy Department - the security risk of keyboard clicks has been one of the biggest scares since the HIV virus. Crooks have been using the technology to scam people typing in their PIN numbers.
Re:low~ (Score:2)
Re:low~ (Score:2)
"Of course, a whole lot of this is just theory." (Score:5, Funny)
Re:"Of course, a whole lot of this is just theory. (Score:2)
Spook 1: "So, we have fragment of ready-salted crisp crunch followed by old muffin.."
Spook 2: "Nah, that was a piece of bagette"
Spook 1: "You think?"
Spook 2: "Yeah, must have been about 3 weeks old"
Spook 1: "eurh, okay, hairy old bagette and then
Spook 1: "...So from that, we can work out that his password is 'password'. Such is the power of sub-key decomposition auditory analysis gentlemen!"
Re:"Of course, a whole lot of this is just theory. (Score:5, Insightful)
Statement 1: "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy."
Statement 2: "Of course, a whole lot of this is just theory."
My Statement: No, only one of those statements can be true
I heard this sound before (Score:2)
Re:I heard this sound before (Score:2)
Now I see why this technology is only 80 percent effective...
This isn't new. (Score:2, Interesting)
Security risks (Score:5, Insightful)
Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.
So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.
And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.
I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.
Re:Security risks (Score:5, Funny)
Anywho, my girlfriend just yelled at me so I needed to vent.
Huh? Quit making up words!
Re:Security risks (Score:2)
> have tomorrows stock market numbers. I and average Joe 24 Pack.
But you and Joe 24-Pack both have credit cards, right? The story mentions that this could be used to steal your pincode.
I know that the story has a disclaimer at the end, but if whoever does credit card scams could make this work, it seems like it's more than just an academic exercise.
bah (Score:4, Insightful)
80% accuracy can be useless... or not (Score:5, Interesting)
OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.
Re:80% accuracy can be useless... or not (Score:3, Interesting)
Also, if the software provide with the estimated value for the accuracy of each keystroke (and which other key stroke may be likely for the produced sound) then you can direct your keyspace search to the most likely key first.
One of the problem I have with this technique is that the guy had to record the sound of each key 30 times before starting to try to recognize keystrok
Re:80% accuracy can be useless... or not (Score:3, Informative)
Actually, it will reduce the key space by much more than that. Assume a 10 char password, with each char picked among 96 (Ascii without ctrl chars).
Without any help, you'd have 96**10 = 66483263599150104576 possibilities to try out.
By having the output from the algorithm, and assuming only two of its guess are false, you'd only have to try 10*9/2*96*96 = 414720 combinations.
Well, of course, you don't know that exactly two chara
Re:80% accuracy can be useless... or not (Score:2)
Re:80% accuracy can be useless... or not (Score:3, Interesting)
Not to be a math nazi... but to just squeeze out the minimal qualification of "hundreds" of errors per page, assuming you're speaking at the granularity of single words (since that's the granularity spell checks work at), you'd have to have 1000 words per page. I doubt most professional documents would have that many words per page (and you'd have to do it at an 8 point font to make it happen anyway), so it may be of some use after all, especially where accuracy is less important, or the documents are small
LED clock (Score:3, Funny)
This is easy to overcome (Score:5, Funny)
Thereby ensuring NOBODY's going to be able to decipher a word you're saying.
ATM sounds (Score:3, Interesting)
This also got me thinking, I used to have an old MAC IIe, when you selected menu items (from that top mac tool bar) different pitches were emitted from the pc, they were quiet and possible actually created from the guns in the tube itself, but this type of thing could be used to figure out what ppl are doing... idontevenknow....
New Technique for Wireless Keyboard (Score:3, Interesting)
Place clever sig here
Re:New Technique for Wireless Keyboard (Score:2)
The parent has come up with a clever idea, and I'm sure that 100 percent accuracy could be achieved by adding a distinct sound signature to each key (think of a piano).
The only trouble with this is holding dow
Re:New Technique for Wireless Keyboard (Score:2, Interesting)
Hum, 2 vibration of the membrane ? One at the keypress and the second wave at the release...
More reason than ever... (Score:4, Informative)
Obligatory Heinlien Reference.... (Score:3, Interesting)
Anyhow, the coordinator of the group would report the status of the group to the outside via computer. However there was only one computer and she typed on the keyboard by setting her hands under a shelf that masked the users typing. There was no screen. She simply made her notes, requests, etc by typing blindly on that keyboard.
At an old networking facility I worked at we had a similar system in place to enter the server room, there was a keypad set into the wall next to the door and in order to enter your code for entry you had to place your hand inside the little 4X4 box that masked/overlayed the keypad. Add in the background noise from the HVAC systems outside the room and we pretty much had/have a secured system.
Comment removed (Score:5, Funny)
will never break my password (Score:4, Funny)
Doh
Hmmm (Score:2, Interesting)
Re:Hmmm (Score:3, Funny)
It's only a matter of time before they interpret the crinkling noises made by our protective hats and are able to read our very thoughts!
Yeah ... RIGHT (Score:4, Insightful)
Eighty percent accuracy after "voiceprinting" each key thirty times and using neural nets to arrive at an abstract sound signature for each key? Of course, the simple expedient of changing keyboards will defeat that. Or by the other obvious antidote
Blinking lights on a modem can be decoded to yield the byte values sent and received? DUH
Sleep well tonight, your AFDB Brigade is on duty and alert!
Re:Yeah ... RIGHT (Score:3, Insightful)
Background noise would not help (Score:4, Interesting)
If you were to train a rifle mic direct at a keyboard from say, 20 metres away in a very busy work environment you could easily pick it up. You can also use a basic 32 band EQ to remove most noise outside of the keyboard clicking frequency.
Background noise isn't really a problem - it's truly amazing what you can do with the correct equipment. For example, the USSR bugged a US embassy by donating an wall mounted American seal. It was sweeped for bugs, and nothing found. This was because there wasn't actually a bug in there - just a simple thin wire, that would vibrate with speech. The USSR then used a highly directional microphone across the street trained at the seal. They were then able to take the vibrations of the wire, and enhance them into speech.
And that was around 20 years ago, long before the sound digital enhancement techniques of today.
So I'll sleep well, but in the knowledge that background noise ain't going to help me that much. To stop keyboard noises the noise would have to be so loud you probably wouldn't be able to work anyway.
Can be done by ear as well (Score:5, Interesting)
Re:Can be done by ear as well (Score:3, Interesting)
Portions of passphrases can be easily caught using just the rhythm of key presses.
Try typing "power".
Now type "alsowhen".
For an experienced typist (or even someone who uses a specific phrase regularly), when the characters are close together they normally roll their fingers. However, when the characters are on opposite ends of the keyboard, then timing becomes an issue since there
Re:Can be done by ear as well (Score:3, Interesting)
I had a friend in high school that claimed he could translate tty-38 typing even with the high background noise level those machines made in the computing rooms.
He demonstrated this by falsely calling in for support and writing down username/password combinations when the techs would show up and use their remote pas
Not really that worrying (Score:2)
Re:Not really that worrying (Score:2)
IT professionals: don't ignore this (Score:5, Interesting)
As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.
Re:IT professionals: don't ignore this (Score:3, Interesting)
Personally, I would love to see a do it yourself kit to test this out.
Future - Speech Recognition (Score:3, Funny)
This technology was bound to emerge (Score:5, Interesting)
In other news: (Score:5, Funny)
Re:In other news: (Score:2)
Bah, thats nothing. I uuencode all my attachments by hand.
Sneakers (Score:3, Informative)
Military Equipment != Just Theory (Score:2)
A keyboard bug is not uncommon in the military. I didn't use one because it wasn't part of my job, but I did see one in use at communications/electronics school. It is more than 80% accurate. They also had one that listened to monitor frequencies to recreate what was on a monitor's screen. That was more flaky. The fuzziness was OK for trying to make out plain text, but when windows and such were involved it became an unreadable mess.
No worries. (Score:3, Funny)
My Model M doesn't have a rubber membrane so I'm not worried. Then again you don't need a microphone to hear me typing on it. My neighbours can hear me typing. If someone were to stick a microphone up to it I'd be interested to know how much of their hearing they'd retain.
Re: (Score:2, Insightful)
bad musician to the rescue (Score:2)
Run a keyboard demon that "accompanies" your every click with randomly chosen acoustics.
This gives me a great idea... (Score:2)
The AudioWiFi keyboard (or HiFi, maybe): no cables, no batteries, no line of sight. Just a microphone on the PC that listens to your keystrokes and learns what they mean.
With 80% accuracy it wudls br possublr ti typr entirr dicunents witg onlu a feq ertors.
And keep the music down!
Click-click (Beep!) Click-click (Beep!) (Score:2)
Click-click (Beep!) Click-click (Beep!) (Long pause) (Mouse click, mouse click). Click-click (Beep!) Click-click (Beep!) (Pause) Click-click (Beep!)
Followed by a primal scream.
model M (Score:2)
Re:model M (Score:2)
Fear and Paranoia Abound (Score:5, Insightful)
If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.
So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.
no theoretical background! (Score:2)
Isn't that the exact opposite of what the article says?
Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories.
I should have saved my Atari 400 (Score:3, Funny)
The LED thing is easy to fix. (Score:2)
Nueral Network... (Score:3, Insightful)
Who needs a machine when we've got the Mounties!?! (Score:3, Funny)
Anybody who saw the episode of the CBS evening buddy-cop-drama "Due South: A Hawk and a Handsaw" [realduesouth.com] knows that you don't need any special equipment. Just get a Canadian Mountie, have him listen to a nurse while she types in her password, and after several tries, the Mountie will be able to reproduce the password based solely on the sound of the clicks... Results are even better if the password is typed in to the tune of "I've been working on the railroad.".
In theory... (Score:3, Funny)
Of course, in theory:
- the earth is spherical in shape
- the earth revolves around the sun
- we evolved from lower species
- energy equals mass times the speed of light squared
easy fix. (Score:5, Funny)
Passwords, how cute (Score:3, Informative)
I stopped typing passwords a long time ago, because I use Factotum [dotgeek.org]
Similar Technology Used in Aircraft Identification (Score:3, Interesting)
About ten years ago, I worked at a defense contractor. We had a project to identify aircraft based on the microphone clicks from their transmissions. As it turns out, radios from the same make and model have unique RF ramp up and cut off patterns. This allows you to identify a particular transmitter based on its transients.
The details of the project were classified, but I will say that, even ten years ago, the results were impressive.
Spying on outdated keyboards (Score:3, Insightful)
One minor problem with this scheme is that most of "today's" computer keyboards don't use rubber membranes. They use two sheets of plastic with conductive tracing printed on them, separated by a third sheet of plastic with holes. The keypress pushes the contact on the top sheet through the hole to touch the contact on the bottom sheet. Hardly any keyboards use the collapsing rubber domes because they're much more expensive that a few sheets of plastic.
So what's next? A scheme to read telegraph signals off Western Union's lines? A device that can tell what I'm watching on a zoetrope [wikipedia.org] by reading analyzing flickering light?
Delay variation is often sufficient (Score:3, Interesting)
Re:Easy way around this (Score:2)
Well anyone who has been late for work knows that trick anyways
It is done just after the coughing loudly while sitting down quietly.
Re:Switch Lights (Score:3, Informative)
Re:Yes but. . . (Score:3, Interesting)
This directly brings up a question I've been pondering for a while now...
Why in the hell is it that people are willing to pay hundreds of dollars extra to quiet the noise of the fans in their computers, yet many still want noisy keyboards?
It's as if a construction worker, who is jack-hammering ou