The Security Risk of Keyboard Clicks

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

Security risks

[NETHED]

You know, I don't care.

Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.

So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.

And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.

I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.

bah

[awing0]

I'm still not going to give up my Model M.

Re:Great...

[kinema]

Of course you could just have the software randomize the location of the numbers each time.

I doesn't matter

[Anonymous Coward]

The reality is if someone reallio TRUELIO WANTS!! to get into your account, they WILL succeed.

I think more effort should be put into hindering crackers eforts once they are inside the system rather than having a completly open system with never good enough security.

Safegaurds!

Yeah ... RIGHT

[ninewands]

So, each key on a membrane keyboard makes a unique sound? I HOPE they try to patent this technology ... that is just SO obvious ... but is it practical in application?

Eighty percent accuracy after "voiceprinting" each key thirty times and using neural nets to arrive at an abstract sound signature for each key? Of course, the simple expedient of changing keyboards will defeat that. Or by the other obvious antidote ... background noise! Better be some damned high-value information you're after bucko!

Blinking lights on a modem can be decoded to yield the byte values sent and received? DUH ... also obvious ... that's why they are labelled "TD" and "RD"! Also easily defeated by simple piece of black tape.

Sleep well tonight, your AFDB Brigade is on duty and alert!

Re:Sounds fishy (no pun intended)

[Zocalo]

If each keystroke makes a distinctive sound, then I'd think that backspace and the cursor keys etc. would have too, wouldn't you? So if you were to type in "fe[backspace]oo" for example, it could still be interpreted as plain old "foo" once the data is analysed.

It seems to me that the only way to defeat this is to modify or otherwise conceal the noise of te keyboard. But what would be the point of doing that? If someone has been able to plant a microphone sensitive enough to detect subtle differences in your keystrokes without your knowledge, then they could have planted something else to do the job much more efficiently.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Great...

[RollingThunder]

And the blind users tell what the randomized order is... how?

Fear and Paranoia Abound

[List of FAILURES]

The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.

If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.

So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.

Re:Yeah ... RIGHT

[evanbd]

So, had this actually occured to you before the article was posted? If so, nicely done -- you're more creative than I am. But for the vast majority of people, this is non-obvious until it's been pointed out. Defeating it probably isn't hard, just like with the modems. However, in areas where security is that important, it still has to be defeated, which requires action. These articles are important simply because they point out security risks that most people would have thought impossible.

Nueral Network...

[s88]

Ummm... so the "attacker" has to have access to your machine for a significant amount of time to train it on each key. I'm not too concerned. To have this kind of access they must also have uninterrupted physical access for a long enough to make a hidden software attack.

Passwords can be hijacked?

[freezin fat guy]

Passwords are a poor security mechanism anyway. We really need to press the industry to move on in this field.

Spying on outdated keyboards

[Dun Malg]

From the article:

Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

"This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

One minor problem with this scheme is that most of "today's" computer keyboards don't use rubber membranes. They use two sheets of plastic with conductive tracing printed on them, separated by a third sheet of plastic with holes. The keypress pushes the contact on the top sheet through the hole to touch the contact on the bottom sheet. Hardly any keyboards use the collapsing rubber domes because they're much more expensive that a few sheets of plastic.

So what's next? A scheme to read telegraph signals off Western Union's lines? A device that can tell what I'm watching on a zoetrope [wikipedia.org] by reading analyzing flickering light?

Re:"Of course, a whole lot of this is just theory.

[Discoflamingo13]

Here's my problem:

Statement 1: "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy."

Statement 2: "Of course, a whole lot of this is just theory."

My Statement: No, only one of those statements can be true

Whatever, nothing to see here

[PrvtBurrito]

Just about everything is sensitive to attacks like this. Someone on your telephone pole can listen to your phone conversations. Someone with a bug can listen to conversations in a room. Someone monitoring internet traffic can monitor your website usage. A monitor in your car can track your movements. There are a lot bigger problems than someone listening to keyboard clicks, IMO. Make it illegal and be done with it. -Sean