Getting sneaky with your security: AI eavesdrops on keyboard clicks to crack passwords

Blog

What’s happening?

A recent study showed, that using a deep learning model to listen in on a smart phone’s microphone recordings, or a laptop using video conferencing software that may be recording, it was possible to figure out passwords from listening to the recorded keystrokes.  

Who does this affect?

Anyone with a keyboard that is being used to enter passwords that is also near a mic.  That includes anyone typing passwords during a conference call, or near someone with a cellphone with recording turned on. 

Terms to understand: 

Deep Learning: Think of it as teaching computers to learn and make predictions on their own without being explicitly programmed. In simple terms, deep learning is enabling computers to think, learn, and make decisions like humans do. 

Acoustic Side Channel Attack (ASCA): refer to a type of cyberattack that leverages sound waves to steal sensitive information like passwords or other confidential information. 

Keystroke Attack: A keystroke attack, also known as keylogging or keyboard capturing, refers to the act of recording and monitoring the keys pressed on a keyboard without the user's knowledge or consent. 

In Brief: The study concluded that in using everyday devices and a deep learning model, the deep learning model could predict the keystroke being typed from the captured audio. In a relatively short amount of time the model had cracked the test subject’s passwords with an accuracy of 95% from the phone recording and 93% accuracy from the Zoom recording. 

What can we do to protect ourselves?  

  1. Change up your typing style. The test’s accuracy dropped significantly when touch typing was used (a typing technique that involves using all ten fingers to type on a keyboard without looking at the keys).  

  1. Use randomized passwords with multiple cases. Passwords that use whole words may be easier to crack and the deep model in this study had a harder time telling if you were still holding down the shift key.  

  1. Have some noise playing in the background. As there are algorithms for removing white noise out there, the study had better luck confusing the model with extra clicking sounds.  

  1. Avoid typing sensitive information such as passwords when participating in recorded sessions like conference calls. 

Studies such as these will help technology developers to better improve their systems. It may result in conferencing software like Zoom and Teams embedding a shortwave keyboard clicking sound that is inaudible to the user but effective at confusing the cybercriminals.