Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Your Rights Online Hardware

The Security Risk of Keyboard Clicks 361

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."
This discussion has been archived. No new comments can be posted.

The Security Risk of Keyboard Clicks

Comments Filter:
  • Great... (Score:5, Funny)

    by ebob9 ( 726509 ) * on Thursday May 13, 2004 @07:40AM (#9138006)
    Now when I log in to my account at work, instead of just needing password, secureid, smartcard, fingerscan, eyescan, and a note from my mother, I'll also need to use an on-screen touch-screen keyboard!

    Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...

    • Re:Great... (Score:5, Interesting)

      by orangesquid ( 79734 ) <orangesquid@ya h o o . com> on Thursday May 13, 2004 @07:42AM (#9138034) Homepage Journal
      Nah. Think about it: pressing different spots of your screen is like pressing down a guitar string at different points. You will cause the screen to resonate with a multitude of frequencies with distinct audio "fingerprints" for different points on the screen, which can also be picked up by very sensitive equipment.

      Sorry.
    • Re:Great... (Score:4, Interesting)

      by Aglassis ( 10161 ) on Thursday May 13, 2004 @07:52AM (#9138122)
      The problem can be solved easy enough with a numeric keypad. Place seven-segment displays under the keys that are randomly orientated, like
      7 5 2
      4 3 1
      0 9 6
      8

      This solves the problem for ATMs. If you dim the LEDs and polarize the light, you would make it more difficult for a camera to find the password also. Obviously this only applies to a numeric keypad (for ATMs and the like) since it would be a pain in the ass to change the lettering dynamically on a keyboard (at least for the user). The solutions for those using keyboards could be as simple as using a smartcard with a PIN number (which you enter on the randomized 10 digit display). The sooner we get rid of the biggest security risk on computers IMHO (guessable passwords) the better.
      • Re:Great... (Score:3, Insightful)

        And the blind users tell what the randomized order is... how?
        • And the blind users tell what the randomized order is... how?

          Through Braille, of course. I'm sure you have noticed that nearly all ATMs nowadays have Braille etched on the keypads. It'd probably be confusing at first, but they have to touch the keypad to enter their PIN anyway, so they'd figure it out sooner or later.

      • The company I worked at 5 years ago had these on all of the exterior doors. Whenever you pressed one of the numbers, all of the numbers would scramble position on the displays, so even through your entry code didnt change, the relative positions of all the keys changed every time.

        Albeit, not much use for blind users perhaps - I'd presume thats why I haven't since such an approach used anywhere else.
      • Re:Great... (Score:5, Informative)

        by jdreed1024 ( 443938 ) on Thursday May 13, 2004 @08:46AM (#9138695)
        Those already exist. They're called "scramble pads". We had one on the server room where I used to work. You press "start", and it displays the numbers in LEDs under the keys, and you enter the code. Every time you press start, the numbers are in a different position. And you can barely read them when staring right at the pad, let alone from the side.

        Of course, it took about 5 times longer to get in than with a key or swipe card (since the code was 8 numbers), but there's always a trade-off.

        here's a picutre [semcorp.com] of one.

      • smartcard with a PIN number

        somewhere a kitten just died.
    • Re:Great... (Score:2, Funny)

      by steveb964 ( 727054 )
      ...yeah, great!

      Now everyone will be able to know that I'm typing slashdot.org in my browser at work!!

      Sheesh, if this is true, I may actually have to do something!!
    • Well, that and the fingerprints will be a dead give-away. =)
    • That's why I have my machine auto-login my 32-character random generated password, thereby defeating keyloggers, over-the-shoulder eavesdropping, and even this new audio hack!

      Security is so easy.
    • ...playing a radio real loud while typing your password?

      Low tech thwarting of high tech snoopping.

  • Covering noise (Score:2, Interesting)

    by tindur ( 658483 )
    Now we just need some covering noise while logging in. Time for a kernel patch?
  • by Anonymous Coward
    You won't believe this, I know, but it's still a fact that I know a guy who - after couple of guesses - knows what you typed on your keyboard just by listening to your keyboard clicks.

    It's pretty amazing when he demonstrates that.
  • low~ (Score:5, Informative)

    by Leffe ( 686621 ) on Thursday May 13, 2004 @07:41AM (#9138020)
    The site was really slow, so I copied the article:


    OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

    Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

    All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

    Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC runninG standard neural netwOrking softwAre, he could decipher the keys with an 80% accuracy raTe. He was also able to train the SoftwarE on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

    Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

    "But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

    However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

    Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.


    Yeah, I put a surprise in there too ;)
    • "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

      Well, while hitting the keys harder or softer may make little difference (note that the frequency is captured), doing weird tricks like

      • typing at 5 wpm rather than 50
      • mistyping a few keys, and going back and forth to correct the errors
      • using backspace every once in a while
      • ...
      • If each keystroke makes a distinctive sound, then I'd think that backspace and the cursor keys etc. would have too, wouldn't you? So if you were to type in "fe[backspace]oo" for example, it could still be interpreted as plain old "foo" once the data is analysed.

        It seems to me that the only way to defeat this is to modify or otherwise conceal the noise of te keyboard. But what would be the point of doing that? If someone has been able to plant a microphone sensitive enough to detect subtle differences i

      • How about hopping between windows a lot while entering passwords? The mics will only pick up what you're typing, but moving the mouse then becomes a lot harder to trace which window you're typing into. Enter the first few characters of one password in one window, move to another, start there, move back, etc.

        Then there's always the copy-and-paste method - copy characters off the screen and paste into the password window.

        'scuse me, I'm low on aluminum foil.
    • ...ATM machines,...

      News just in from the Department Of Redundancy Department - the security risk of keyboard clicks has been one of the biggest scares since the HIV virus. Crooks have been using the technology to scam people typing in their PIN numbers.
    • GROan, that was awFuL.
    • This is trivial compared to reproducing a document based on recording a telephone conversation.
  • by account_deleted ( 4530225 ) on Thursday May 13, 2004 @07:41AM (#9138021)
    Comment removed based on user account deletion
  • ... but a firstpost on slashdot sounds differently.
  • This isn't new. (Score:2, Interesting)

    by andy666 ( 666062 )
    There was a story a bit back (on Ars?) about how the government has been doing this since the 80's.
  • Security risks (Score:5, Insightful)

    by NETHED ( 258016 ) on Thursday May 13, 2004 @07:44AM (#9138049) Homepage
    You know, I don't care.

    Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.

    So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.

    And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.

    I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.
  • bah (Score:4, Insightful)

    by awing0 ( 545366 ) <adam&badtech,org> on Thursday May 13, 2004 @07:45AM (#9138059) Homepage
    I'm still not going to give up my Model M.
  • by shoppa ( 464619 ) on Thursday May 13, 2004 @07:45AM (#9138061)
    80% accuracy is far from perfect. For instance, an OCR application that returned only 80% accuracy would probably be rejected by the vast majority of users, as this means hundreds of errors to be corrected per page.

    OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.

    • Even if the password is recorded once, this will reduce the keyspace by 80%. Which is not bad if you want to do a brute force attack.

      Also, if the software provide with the estimated value for the accuracy of each keystroke (and which other key stroke may be likely for the produced sound) then you can direct your keyspace search to the most likely key first.

      One of the problem I have with this technique is that the guy had to record the sound of each key 30 times before starting to try to recognize keystrok
      • Even if the password is recorded once, this will reduce the keyspace by 80%.

        Actually, it will reduce the key space by much more than that. Assume a 10 char password, with each char picked among 96 (Ascii without ctrl chars).

        Without any help, you'd have 96**10 = 66483263599150104576 possibilities to try out.

        By having the output from the algorithm, and assuming only two of its guess are false, you'd only have to try 10*9/2*96*96 = 414720 combinations.

        Well, of course, you don't know that exactly two chara

    • Not to be a math nazi... but to just squeeze out the minimal qualification of "hundreds" of errors per page, assuming you're speaking at the granularity of single words (since that's the granularity spell checks work at), you'd have to have 1000 words per page. I doubt most professional documents would have that many words per page (and you'd have to do it at an 8 point font to make it happen anyway), so it may be of some use after all, especially where accuracy is less important, or the documents are small

  • LED clock (Score:3, Funny)

    by donnyspi ( 701349 ) <.junk5. .at. .donnyspi.com.> on Thursday May 13, 2004 @07:46AM (#9138066) Homepage
    I can't even tell what freakin time it is on my LED clock from ThinkGeek, much less deciper keyboard clicks and modem blinks :-)
  • by JosKarith ( 757063 ) on Thursday May 13, 2004 @07:46AM (#9138070)
    Al you have to do is install voice-recognition software, then train it to only understand you when you speak in a broad Glaswegian accent.
    Thereby ensuring NOBODY's going to be able to decipher a word you're saying.
  • ATM sounds (Score:3, Interesting)

    by monkeyserver.com ( 311067 ) on Thursday May 13, 2004 @07:46AM (#9138075) Homepage Journal
    Maybe I am remembering wrong, but I think old ATMs used to have slightly different tones for the different buttons, which is dumb, but sounds like something some engineer would do without thinking.

    This also got me thinking, I used to have an old MAC IIe, when you selected menu items (from that top mac tool bar) different pitches were emitted from the pc, they were quiet and possible actually created from the guns in the tube itself, but this type of thing could be used to figure out what ppl are doing... idontevenknow....
  • by kelseyj ( 398409 ) on Thursday May 13, 2004 @07:46AM (#9138079)
    This seems like this could be a new method of supporting wireless keyboards. No battery required!

    Place clever sig here
    • IANAP (Physicist) but does anyone know what the latency on such a keyboard would be and if it would be feasible? By latency I am talking the time between hitting the key and the sound moving through the air to the detector, and the detector translating this into a signal that can be fed into the PC.

      The parent has come up with a clever idea, and I'm sure that 100 percent accuracy could be achieved by adding a distinct sound signature to each key (think of a piano).

      The only trouble with this is holding dow
  • by Simon Carr ( 1788 ) <slashdot.org@simoncarr.com> on Thursday May 13, 2004 @07:48AM (#9138086) Homepage
    To pick up one of these babies [thinkgeek.com]... C'mon, it's like $400, I need to grab at any justification I can find!
  • by Clinoti ( 696723 ) * on Thursday May 13, 2004 @07:48AM (#9138090)
    Sadly I can't quote the exact book nor passage from it, but the story is set with a group of people in a cave at a time of war/experiment.

    Anyhow, the coordinator of the group would report the status of the group to the outside via computer. However there was only one computer and she typed on the keyboard by setting her hands under a shelf that masked the users typing. There was no screen. She simply made her notes, requests, etc by typing blindly on that keyboard.

    At an old networking facility I worked at we had a similar system in place to enter the server room, there was a keypad set into the wall next to the door and in order to enter your code for entry you had to place your hand inside the little 4X4 box that masked/overlayed the keypad. Add in the background noise from the HVAC systems outside the room and we pretty much had/have a secured system.

  • by account_deleted ( 4530225 ) on Thursday May 13, 2004 @07:49AM (#9138101)
    Comment removed based on user account deletion
  • by GarbanzoBean ( 695162 ) on Thursday May 13, 2004 @07:52AM (#9138120)
    I don't type my passwords. I use voice recognition software and just say them. No clicks to overhear baby!!!

    Doh
  • Hmmm (Score:2, Interesting)

    by SILIZIUMM ( 241333 )
    Can you say "tinfoil hat" ?
    • Re:Hmmm (Score:3, Funny)

      by alib001 ( 654044 )

      It's only a matter of time before they interpret the crinkling noises made by our protective hats and are able to read our very thoughts!

  • Yeah ... RIGHT (Score:4, Insightful)

    by ninewands ( 105734 ) on Thursday May 13, 2004 @07:53AM (#9138131)
    So, each key on a membrane keyboard makes a unique sound? I HOPE they try to patent this technology ... that is just SO obvious ... but is it practical in application?

    Eighty percent accuracy after "voiceprinting" each key thirty times and using neural nets to arrive at an abstract sound signature for each key? Of course, the simple expedient of changing keyboards will defeat that. Or by the other obvious antidote ... background noise! Better be some damned high-value information you're after bucko!

    Blinking lights on a modem can be decoded to yield the byte values sent and received? DUH ... also obvious ... that's why they are labelled "TD" and "RD"! Also easily defeated by simple piece of black tape.

    Sleep well tonight, your AFDB Brigade is on duty and alert!
    • Re:Yeah ... RIGHT (Score:3, Insightful)

      by evanbd ( 210358 )
      So, had this actually occured to you before the article was posted? If so, nicely done -- you're more creative than I am. But for the vast majority of people, this is non-obvious until it's been pointed out. Defeating it probably isn't hard, just like with the modems. However, in areas where security is that important, it still has to be defeated, which requires action. These articles are important simply because they point out security risks that most people would have thought impossible.
    • by lxt ( 724570 ) on Thursday May 13, 2004 @09:17AM (#9139064) Journal
      I'm afraid you're incorrect to say playing background noise would help. General background noise - even completely randomised white noise - won't be a problem for an incredibly sensitive microphone. Decent (OK, incredibly expensive) rifle mics are exceedingly directional, eliminating any noise from the sides.

      If you were to train a rifle mic direct at a keyboard from say, 20 metres away in a very busy work environment you could easily pick it up. You can also use a basic 32 band EQ to remove most noise outside of the keyboard clicking frequency.

      Background noise isn't really a problem - it's truly amazing what you can do with the correct equipment. For example, the USSR bugged a US embassy by donating an wall mounted American seal. It was sweeped for bugs, and nothing found. This was because there wasn't actually a bug in there - just a simple thin wire, that would vibrate with speech. The USSR then used a highly directional microphone across the street trained at the seal. They were then able to take the vibrations of the wire, and enhance them into speech.

      And that was around 20 years ago, long before the sound digital enhancement techniques of today.

      So I'll sleep well, but in the knowledge that background noise ain't going to help me that much. To stop keyboard noises the noise would have to be so loud you probably wouldn't be able to work anyway.
  • by shamir_k ( 222154 ) on Thursday May 13, 2004 @07:54AM (#9138142) Homepage
    I had this teacher who also did some network consulting. He told us of a case where he knew somebody was logging on at a client's site using his password, but he couldn't figure out how his password was being hacked. He noticed that whenever he was logging in, a particular secretary used to hang around. He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

    • You can weaken the strength of a passphrase without the need to train instruments (including your ear) to a specific keyboard.

      Portions of passphrases can be easily caught using just the rhythm of key presses.

      Try typing "power".
      Now type "alsowhen".

      For an experienced typist (or even someone who uses a specific phrase regularly), when the characters are close together they normally roll their fingers. However, when the characters are on opposite ends of the keyboard, then timing becomes an issue since there
    • He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

      I had a friend in high school that claimed he could translate tty-38 typing even with the high background noise level those machines made in the computing rooms.

      He demonstrated this by falsely calling in for support and writing down username/password combinations when the techs would show up and use their remote pas
  • The fact remains with all these things that you have to make your security procautions good enough so that it is more effect get through them than it's worth to do it. For example say I had 20 in my back account, nobody would spend 100 in time or money to get to it. This keyboard tapping proof of concept will not cause everyone to stop using typed passwords. Much like that ability to factorise large primes hasn't stopped people using RSA.
  • by jrm228 ( 677242 ) on Thursday May 13, 2004 @07:55AM (#9138149)
    It's easy to dismiss this right out, but for people who follow the intelligence industry this isn't new. Spooks can already listen to conversations through windows with lasers that measure vibration, and use filter technology to eliminate relatively constant background noise (e.g. a shower running). Combine that with some keyboard listening technology that's been in development for a long time: (see BBC 2001 reference) [bbc.co.uk] and suddenly IT security becomes a lot more interesting.

    As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.

    • Although I'm a fan of making things secure, the first rule of security is that it should be commensurate with what is being secured. In other words, don't build high walls for small issues. Not everyone needs to take counter measures for eavesdropping, but if someone is in fact involved in sensitive communication this makes sense.

      Personally, I would love to see a do it yourself kit to test this out.
  • by jabex ( 320163 ) on Thursday May 13, 2004 @07:55AM (#9138150) Homepage
    Good thing the whole future of "speech recognition" didn't pan out. Oh those silly Star Trek episodes, everyone can hear when Picard announces his secret password to everyone!
  • by Handover Slashdot ( 255651 ) on Thursday May 13, 2004 @07:56AM (#9138154)
    For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?
  • by Big Nothing ( 229456 ) <tord.stromdal@gmail.com> on Thursday May 13, 2004 @07:57AM (#9138163)
    In other news: hackers can connect to the internet by whistling into the phone.
  • Sneakers (Score:3, Informative)

    by ultrasonik ( 775562 ) on Thursday May 13, 2004 @07:57AM (#9138169) Homepage
    This is old news. Ever see the movie Sneakers from 1992?
  • Of course, a whole lot of this is just theory.

    A keyboard bug is not uncommon in the military. I didn't use one because it wasn't part of my job, but I did see one in use at communications/electronics school. It is more than 80% accurate. They also had one that listened to monitor frequencies to recreate what was on a monitor's screen. That was more flaky. The fuzziness was OK for trying to make out plain text, but when windows and such were involved it became an unreadable mess.
  • No worries. (Score:3, Funny)

    by Chess_the_cat ( 653159 ) on Thursday May 13, 2004 @08:02AM (#9138205) Homepage
    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    My Model M doesn't have a rubber membrane so I'm not worried. Then again you don't need a microphone to hear me typing on it. My neighbours can hear me typing. If someone were to stick a microphone up to it I'd be interested to know how much of their hearing they'd retain.

  • Re: (Score:2, Insightful)

    Comment removed based on user account deletion
  • Most PCs have a speaker, right?

    Run a keyboard demon that "accompanies" your every click with randomly chosen acoustics.

  • A replacement for the expensive, complex, and unreliable bluetooth and infrared protocols used for wireless keyboards...

    The AudioWiFi keyboard (or HiFi, maybe): no cables, no batteries, no line of sight. Just a microphone on the PC that listens to your keystrokes and learns what they mean.

    With 80% accuracy it wudls br possublr ti typr entirr dicunents witg onlu a feq ertors.

    And keep the music down!
  • Sometimes keyboard noise can be very expressive even without computer analysis. I've occasionally heard something like this from several cubes away:

    Click-click (Beep!) Click-click (Beep!) (Long pause) (Mouse click, mouse click). Click-click (Beep!) Click-click (Beep!) (Pause) Click-click (Beep!)

    Followed by a primal scream.
  • All I know is you don't need a bunch of expensive equipment to pick up sounds from my IBM Model M keyboard.
  • by List of FAILURES ( 769395 ) on Thursday May 13, 2004 @08:12AM (#9138319) Journal
    The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.

    If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.

    So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.
  • "Of course, a whole lot of this is just theory."

    Isn't that the exact opposite of what the article says?

    Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories.
  • by zymurgy_cat ( 627260 ) on Thursday May 13, 2004 @08:16AM (#9138361) Homepage
    Now I know that I should have saved my Atari 400. With that flat quiet keyboard, no one would be able to snoop on my typing. Of course, I'd have carpal tunnel so bad I couldn't pick up a spoon...
  • One capacitor on each LED will fix that!!
  • Nueral Network... (Score:3, Insightful)

    by s88 ( 255181 ) on Thursday May 13, 2004 @08:24AM (#9138467) Homepage
    Ummm... so the "attacker" has to have access to your machine for a significant amount of time to train it on each key. I'm not too concerned. To have this kind of access they must also have uninterrupted physical access for a long enough to make a hidden software attack.
  • by Rahga ( 13479 ) on Thursday May 13, 2004 @08:40AM (#9138646) Journal
    "Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

    Anybody who saw the episode of the CBS evening buddy-cop-drama "Due South: A Hawk and a Handsaw" [realduesouth.com] knows that you don't need any special equipment. Just get a Canadian Mountie, have him listen to a nurse while she types in her password, and after several tries, the Mountie will be able to reproduce the password based solely on the sound of the clicks... Results are even better if the password is typed in to the tune of "I've been working on the railroad.".
  • by pbryan ( 83482 ) <email@pbryan.net> on Thursday May 13, 2004 @08:47AM (#9138712) Homepage
    Of course, a whole lot of this is just theory.

    Of course, in theory:

    - the earth is spherical in shape
    - the earth revolves around the sun
    - we evolved from lower species
    - energy equals mass times the speed of light squared
  • easy fix. (Score:5, Funny)

    by dj245 ( 732906 ) on Thursday May 13, 2004 @08:50AM (#9138751) Homepage
    what, you guys don't use a binary keyboard? 99 less keys to break.
  • Passwords, how cute (Score:3, Informative)

    by DrSkwid ( 118965 ) on Thursday May 13, 2004 @08:57AM (#9138827) Journal

    I stopped typing passwords a long time ago, because I use Factotum [dotgeek.org]

  • by iammrjvo ( 597745 ) on Thursday May 13, 2004 @09:25AM (#9139132) Homepage Journal

    About ten years ago, I worked at a defense contractor. We had a project to identify aircraft based on the microphone clicks from their transmissions. As it turns out, radios from the same make and model have unique RF ramp up and cut off patterns. This allows you to identify a particular transmitter based on its transients.

    The details of the project were classified, but I will say that, even ten years ago, the results were impressive.
  • by Dun Malg ( 230075 ) on Thursday May 13, 2004 @09:41AM (#9139324) Homepage
    From the article:
    Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

    "This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

    One minor problem with this scheme is that most of "today's" computer keyboards don't use rubber membranes. They use two sheets of plastic with conductive tracing printed on them, separated by a third sheet of plastic with holes. The keypress pushes the contact on the top sheet through the hole to touch the contact on the bottom sheet. Hardly any keyboards use the collapsing rubber domes because they're much more expensive that a few sheets of plastic.

    So what's next? A scheme to read telegraph signals off Western Union's lines? A device that can tell what I'm watching on a zoetrope [wikipedia.org] by reading analyzing flickering light?

  • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Thursday May 13, 2004 @10:07AM (#9139636) Homepage
    Different pairs of keys have different timings, so just looking at the timing difference gives you quite a bit of information. There's even a paper [cmu.edu] about this phenomenon which gives some numbers. It focuses on sniffing the network traffic, but the results should also apply for data that is gather accoustically.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...