Feeds

Key clicks betray passwords, typed text

Big audio dynamite

Beginner's guide to SSL certificates

Eavesdroppers armed with a shotgun microphone or a small recording device could make off with a computer user's sensitive documents and data, three university researchers said in a paper released this week.

The researchers, from the University of California at Berkeley, found that a 10-minute recording of a person typing at the keyboard reveals enough information for a computer analysis to recover nearly 90 per cent of the words entered. The recording can be low quality - the researchers used a $10 microphone - and the system does not need previous samples of a user's typing to perform the analysis. Moreover, the technique can frequently guess a person's password in as little as 20 attempts.

"Primarily this is a message to the security community saying we need to change our thinking on authentication," said Doug Tygar, a professor of computer science and information management at UC Berkeley and the principal investigator of the study. "This is not very exotic attack in that the equipment used is dirt cheap and the software is readily available."

The research is the latest study to underscore the potential for attackers to steal information from computers by analyzing machine emanations--the sound, light and magnetic energy given off by a system. Many attacks rely on intercepting and decoding encrypted communications, such as the signals used by the Bluetooth standard or wireless passport technology. However, machine emanations can inadvertently leak the information displayed on a computer screen or reveal details of the system current calculations.

The paper builds on research by two IBM researchers that showed that software trained to recognize different key clicks could identify the right key about 80 percent of the time. The researchers, Dmitri Asonov and Rakesh Agrawal, also found that telephone keys could be recognized by such software, known as a neural network, more than 90 percent of the time.

UC Berkeley's Tygar, along with students Li Zhuang and Feng Zhou, improved the recognition to an accuracy of nearly 96 per cent using a different processing algorithm, a non-neural-network recognition algorithm and the assumption that English words were being typed.

The researchers extracted audio features from the sounds of a user's keystrokes and lumped similar sounding keys into categories. Then, using statistical properties of the English language -for example, 'e', 't' and 'o' occur most frequently and 'j' never follows 'b' - the researchers assigned letters to each category. Assigning the categories automatically resulted in 60 per cent of the letters guessed correctly, but only 20 per cent of the words, the paper stated.

Adding spelling and grammar checking increased the character recognition slightly, but made word recognition dramatically better - more than half of all words were correctly guessed, according to the researchers. By using the previous results to feed back into the algorithm, the accuracy was further improved. Three rounds of feedback resulted in more than 92 percent of characters correctly guessed in a typical scenario, though the software recognized more than 96 per cent of characters in some cases, the paper stated.

The researchers found that at least five minutes of recording time - approximately 1,500 key strokes - were needed to recognize characters with a high degree of accuracy. A five-minute record resulted in better than 80 per cent accuracy, while a ten minute sample increased that accuracy to more than 90 per cent, the paper stated.

While the researchers used spelling and grammar to improve the recognition software's accuracy, the system could frequently recognize the characters that make up non-word passwords. If allowed twenty guesses, the system could recognize 90 per cent of all five-character passwords, 77 per cent of all eight-character passwords and 69 per cent of all ten-character passwords correctly.

The attack resembles Cold War spycraft, said Bruce Schneier, chief technology officer for Counterpane Internet Security and a well-known security expert. The Soviets used to bug the American Embassy and analyzed the sounds of typewriter keys clacking to guess what was being typed, he said.

"Suddenly, everyone can do this," he said. "If I can get access to your workspace, I can get your passwords. With cameras and microphones getting smaller and smaller, it will be harder to keep secrets."

Quieter keyboards are not necessarily a solution, the researcher found. In a test of three keyboards that produce less noise, characters were recognized correctly more than 90 pe rcent of the time.

While a cell phone failed to foil the recognition system, multiple typists in the same room caused recognition rates to lower. Such defenses are fodder for future research, Berkeley's Tygar said.

"Our research goal is not to build better tools for espionage," he said. "The reason to do this work is to highlight a concern, but you can't consider the problem of defense without first understanding the problem of attack."

Copyright © 2005, SecurityFocus

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.