Security researchers from three British universities have developed a method to recover passwords. This ‘acoustic side-channel attack‘ can be applied with hardware and algorithms that are accessible to everyone. Research shows that an acoustic attack correctly recognizes 95 per cent of keystrokes.
Researchers from Durham University, University of Surrey and Royal Holloway University of London write this in their research paper (pdf).
‘People don’t act because of ignorance.’
So-called ‘side-channel attacks’ collect and interpret signals that are sent out by a device. It was discovered years ago that wireless keyboards produce detectable and readable electromagnetic signals. The researchers say that wired keyboards also make easily detect sounds.
“The ubiquity of acoustic sounds from keyboards makes them a readily available attack vector and encourages victims to underestimate their output, not try to hide it. When people type in a password, they regularly hide their screen. Few people bother to hide the sound of their keyboard,” the academics write in their paper. They think this is due to ignorance of the subject.
Attack methods up to 95 per cent accurate
In their research report, the scientists describe two ways to collect acoustic recordings to crack passwords. First of all, by making sound recordings of keystrokes on a keyboard via a mobile phone lying next to a laptop. For the second method, the researchers used video calling application Zoom to carry out a remote attack.
Both methods prove to be effective in recovering keystrokes and, thus, passwords. The first method – finding and analyzing keystrokes via a mobile phone – appears to recognize the keystrokes in 95% of cases. With the second method – via Zoom – the classification accuracy was 93 per cent.
The researchers developed a deep learning algorithm to study and classify keystroke signals. To generate the keystrokes, the scientists used a MacBook. Which smartphone was used for the study, an Android phone or iPhone? The researchers leave open.
This makes analyzing keystrokes a lot more difficult
The academics have also mapped out a number of mitigation techniques. A different way of typing significantly reduces the reliability of the keystroke analysis. The advantage of this method is that you do not have to invest in new hardware and software. Implementing randomized passwords is a second method the researchers mention to reduce the risk of your password being cracked.
Creating randomly generated keystrokes, playing background sounds, working with touch displays and implementing multi-factor authentication are other methods to make it more difficult for hackers to crack your passwords with acoustic signals.