Recovering keystrokes from audio recordings

2010-07-14

in Geek stuff, Internet matters, Security

Those trying to compromise the integrity of computer systems have a large variety of attack options to work with: everything from mathematical approaches to breaking cryptography, to TEMPEST attacks based on unintentional signal radiation, to social engineering methods designed to trick people into granting them access. A recent Economist article highlights a danger likely to be unfamiliar to most, namely how it is possible to convert audio recordings of typing back into text:

Such snooping is possible because each key produces a characteristic click, shaped by its position on the keyboard, the vigour and hand position of the typist, and the type of keyboard used…

That said, the method does have one limitation: in order to apply the language model, at least five minutes of the recorded typing had to be in standard English (though in principle any systematic language or alphabet would work). But once those requirements are met, the program can decode anything from epic prose to randomised, ten-character passwords.

The software being employed seems fairly clever. It augments the audio data with frequency analysis, based on how often individual letters and specific pairs of letters come up in English text. With refinements, it seems plausible that it could be made to work with a smaller sample.

Making a computer system secure against a capable and resourceful attacker is extremely difficult. That said, the basic principles of security continue to hold. For instance, using defence in depth can reduce the severity of any breach – for instance, by keeping critical files encrypted. Also, it must always be remembered that security involves trade-offs. Increasing security against these audio attacks is no different, and it will always be accompanied by some cost, in terms of finances, convenience, or security of a different type.

Report a typo or inaccuracy

{ 2 comments… read them below or add one }

R.K. July 14, 2010 at 9:33 am

There is a perfect countermeasure to this attack – surround yourself with an infinite number of monkeys at an infinite number of typewriters.

No software algorithm could ever isolate your typing from the ambient noise.

Milan July 14, 2010 at 2:25 pm

Of course, that creates new security vulnerabilities. Specifically, a greatly increased risk of being attacked by large numbers of disgruntled monkeys.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: