Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Security Risk of Keyboard Clicks

simoniker posted more than 10 years ago | from the tap-tap-oops dept.

Security 361

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

cancel ×

361 comments

If this is not the first post... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9138005)

...I will let a blind golfer tee off on my nutsack.

As always, links to pictures will be posted.

Re:If this is not the first post... (1)

ArsenneLupin (766289) | more than 10 years ago | (#9138219)

..I will let a blind golfer tee off on my nutsack.

An interesting way to play golf.

Usually you put one ball on top of the tee, rather than two balls next to the tee!

Great... (5, Funny)

ebob9 (726509) | more than 10 years ago | (#9138006)

Now when I log in to my account at work, instead of just needing password, secureid, smartcard, fingerscan, eyescan, and a note from my mother, I'll also need to use an on-screen touch-screen keyboard!

Of course, someone will probably now figure out that tapped glass reverberates at a different frequency...

Re:Great... (4, Interesting)

orangesquid (79734) | more than 10 years ago | (#9138034)

Nah. Think about it: pressing different spots of your screen is like pressing down a guitar string at different points. You will cause the screen to resonate with a multitude of frequencies with distinct audio "fingerprints" for different points on the screen, which can also be picked up by very sensitive equipment.

Sorry.

Re:Great... (5, Insightful)

kinema (630983) | more than 10 years ago | (#9138072)

Of course you could just have the software randomize the location of the numbers each time.

Re:Great... (4, Funny)

orangesquid (79734) | more than 10 years ago | (#9138093)

True. But you could also read the screen via Tempest-like technology!

It seems that no matter what you do, we'll be screwed anyway. We might as well go to a trust-based system. How about everybody just changes all their passwords to 'secret'?

Re:Great... (5, Funny)

MadBiologist (657155) | more than 10 years ago | (#9138140)

Darn.... now I'm gonna have to change my password.

First somebody gives away the 12345, now secret.

Sheesh.. What's this world coming too?

-J-

Re:Great... (4, Funny)

evil-osm (203438) | more than 10 years ago | (#9138213)

or you can just look for the smudge marks...

Re:Great... (0)

Anonymous Coward | more than 10 years ago | (#9138073)

Fingerprints on the screen?

Re:Great... (4, Interesting)

Aglassis (10161) | more than 10 years ago | (#9138122)

The problem can be solved easy enough with a numeric keypad. Place seven-segment displays under the keys that are randomly orientated, like
7 5 2
4 3 1
0 9 6
8

This solves the problem for ATMs. If you dim the LEDs and polarize the light, you would make it more difficult for a camera to find the password also. Obviously this only applies to a numeric keypad (for ATMs and the like) since it would be a pain in the ass to change the lettering dynamically on a keyboard (at least for the user). The solutions for those using keyboards could be as simple as using a smartcard with a PIN number (which you enter on the randomized 10 digit display). The sooner we get rid of the biggest security risk on computers IMHO (guessable passwords) the better.

Re:Great... (1)

Aglassis (10161) | more than 10 years ago | (#9138191)

Just to be a little more clear:

the display reorientates on each use and is inactive after being used. This prevents a person from guessing that a person pressed '1' because he pressed the upper left key, and it prevents an infrared camera from doing the same based on the heat left on a pressed key.

Re:Great... (0)

Anonymous Coward | more than 10 years ago | (#9138261)

well that would be a bit of a non-brainer on ATM's with touchscreen like some of the ones here (Citibank)... But then I guess the gentle pushing of skin on glass is gonna be pretty hard to sense anyways...

Re:Great... (2, Insightful)

RollingThunder (88952) | more than 10 years ago | (#9138275)

And the blind users tell what the randomized order is... how?

Re:Great... (1)

madman101 (571954) | more than 10 years ago | (#9138192)

Another solution to this would be to use scramble keyboards, where the positions of the letters would change every 5 minutes. God,I hope my boss doesn't read this, he might put it into the budget...

Re:Great... (0)

Anonymous Coward | more than 10 years ago | (#9138196)

And then I suppose you're going to tell me that I can reproduce telephone sounds with a simple child's play toy out of a cerial box.

Do I look THAT gullible? hehe

Re:Great... (2, Funny)

steveb964 (727054) | more than 10 years ago | (#9138239)

...yeah, great!

Now everyone will be able to know that I'm typing slashdot.org in my browser at work!!

Sheesh, if this is true, I may actually have to do something!!

Re:Great... (0)

Anonymous Coward | more than 10 years ago | (#9138290)

Bah, easy to get around. I just use one of those flexible keyboards. There is almost no sound at all. I have been using it for years and love it.

Covering noise (2, Interesting)

tindur (658483) | more than 10 years ago | (#9138017)

Now we just need some covering noise while logging in. Time for a kernel patch?

Re:Covering noise (2, Funny)

madman101 (571954) | more than 10 years ago | (#9138208)

Nah, just a boom box with volume on 11 playing Spinal Tap.

Some people are more gifted than others (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9138019)

You won't believe this, I know, but it's still a fact that I know a guy who - after couple of guesses - knows what you typed on your keyboard just by listening to your keyboard clicks.

It's pretty amazing when he demonstrates that.

Re:Some people are more gifted than others (1)

softwave (145750) | more than 10 years ago | (#9138132)

too bad you posted this as AC...

so far for credibility :)

Re:Some people are more gifted than others (0)

Anonymous Coward | more than 10 years ago | (#9138176)

I know :( ... but it IS true.

However iirc his accuracy was way below 80%, but when typing text, 20% errors don't matter that much. So he couldn't hear complex passwords etc.

But still VERY neat!

Re:Some people are more gifted than others (1)

ylikone (589264) | more than 10 years ago | (#9138177)

Me thinks he is pulling a fast one on you. Look for hidden mirrors and/or accomplices.

low~ (5, Informative)

Leffe (686621) | more than 10 years ago | (#9138020)

The site was really slow, so I copied the article:


OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

"This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC runninG standard neural netwOrking softwAre, he could decipher the keys with an 80% accuracy raTe. He was also able to train the SoftwarE on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

"But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.


Yeah, I put a surprise in there too ;)

Re:low~ (0)

Anonymous Coward | more than 10 years ago | (#9138057)

Now why would you want us to visit you personal home page?

Re:low~ (1, Funny)

Anonymous Coward | more than 10 years ago | (#9138091)

More hits == increased ePenis size!

Sounds fishy (no pun intended) (2, Interesting)

hashinclude (192717) | more than 10 years ago | (#9138082)

"This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.



Well, while hitting the keys harder or softer may make little difference (note that the frequency is captured), doing weird tricks like

  • typing at 5 wpm rather than 50
  • mistyping a few keys, and going back and forth to correct the errors
  • using backspace every once in a while
  • ...


Re:Sounds fishy (no pun intended) (2, Insightful)

Zocalo (252965) | more than 10 years ago | (#9138180)

If each keystroke makes a distinctive sound, then I'd think that backspace and the cursor keys etc. would have too, wouldn't you? So if you were to type in "fe[backspace]oo" for example, it could still be interpreted as plain old "foo" once the data is analysed.

It seems to me that the only way to defeat this is to modify or otherwise conceal the noise of te keyboard. But what would be the point of doing that? If someone has been able to plant a microphone sensitive enough to detect subtle differences in your keystrokes without your knowledge, then they could have planted something else to do the job much more efficiently.

Re:Sounds fishy (no pun intended) (1)

krymsin01 (700838) | more than 10 years ago | (#9138316)

Yeah, like a hardware keylogger inside your keyboard.

Re:low~ (1)

Hogwash McFly (678207) | more than 10 years ago | (#9138166)

...ATM machines,...

News just in from the Department Of Redundancy Department - the security risk of keyboard clicks has been one of the biggest scares since the HIV virus. Crooks have been using the technology to scam people typing in their PIN numbers.

"Of course, a whole lot of this is just theory." (4, Funny)

REBloomfield (550182) | more than 10 years ago | (#9138021)

Sounds like bollocks to me. The amount of crumbs under my keys, I'd be mighty impressed if you got anything intelligble.

Re:"Of course, a whole lot of this is just theory. (0)

Anonymous Coward | more than 10 years ago | (#9138081)

Crumbs? Since when does pubic hair look like crumbs? :)

Re:"Of course, a whole lot of this is just theory. (1)

AllUsernamesAreGone (688381) | more than 10 years ago | (#9138245)

Nah, it's make it easier:

Spook 1: "So, we have fragment of ready-salted crisp crunch followed by old muffin.."
Spook 2: "Nah, that was a piece of bagette"
Spook 1: "You think?"
Spook 2: "Yeah, must have been about 3 weeks old"
Spook 1: "eurh, okay, hairy old bagette and then ..." ... some time later...
Spook 1: "...So from that, we can work out that his password is 'password'. Such is the power of sub-key decomposition auditory analysis gentlemen!"

Deja Vu? (1)

imidazole2 (776413) | more than 10 years ago | (#9138024)

I could have sworn we already covered this topic on Slashdot... like a year ago? I cant find the article, am i the only one to remember this?

Re:Deja Vu? (0)

Anonymous Coward | more than 10 years ago | (#9138060)

Probably you heard the clicking keyboard sound of your colleague posting that article...

Re:Deja Vu? (1)

AssFace (118098) | more than 10 years ago | (#9138288)

This has been around even before the movie Sneakers [imdb.com] .

I heard this sound before (2)

tmk (712144) | more than 10 years ago | (#9138025)

... but a firstpost on slashdot sounds differently.

Re:I heard this sound before (1)

Hogwash McFly (678207) | more than 10 years ago | (#9138119)

... but a firstpost on slashdot sounds differently.

Now I see why this technology is only 80 percent effective...

ror (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9138045)

my ex has stretch marks!!

This isn't new. (2, Interesting)

andy666 (666062) | more than 10 years ago | (#9138047)

There was a story a bit back (on Ars?) about how the government has been doing this since the 80's.

Security risks (5, Insightful)

NETHED (258016) | more than 10 years ago | (#9138049)

You know, I don't care.

Its not like I have the secrets to nuclear weapons research, nor do I have tomorrows stock market numbers. I and average Joe 24 Pack.

So you can listen to my keystrokes and decipher what I am typing. I'm sure that if you asked me, I'd tell you anyway. People are far greater a security risk than computers.

And well, if you have such sensative documents, Tempest your computer, unplug it from EVERY network and work.

I agree that these are good academic exercises to see how one person can spy on another, but does it matter to 99% of the world. NO. Anywho, my girlfriend just yelled at me so I needed to vent.

Re:Security risks (0)

Anonymous Coward | more than 10 years ago | (#9138148)

Agreed. Security "researchers" must be hard-pressed to find solutions to real problems if this is the kind of junk at the Oakland symposium. I guess with everyone doing "security" and "privacy" work these days, this is what one would expect.

Re:Security risks (5, Funny)

the_mad_poster (640772) | more than 10 years ago | (#9138195)

Anywho, my girlfriend just yelled at me so I needed to vent.

Huh? Quit making up words!

Re:Security risks (1)

poulbailey (231304) | more than 10 years ago | (#9138301)

> You know, I don't care. Its not like I have the secrets to nuclear weapons research, nor do I
> have tomorrows stock market numbers. I and average Joe 24 Pack.

But you and Joe 24-Pack both have credit cards, right? The story mentions that this could be used to steal your pincode.

I know that the story has a disclaimer at the end, but if whoever does credit card scams could make this work, it seems like it's more than just an academic exercise.

What sort of rubbish is this? (1)

bigchris (54369) | more than 10 years ago | (#9138051)

The LED story only effects modems, and not even high speed equipment, besides which how many people are going to have the equipment to monitor somebodies modem for info? The keyboard clicking story seems dodgy too.

Get it together, slashdot! Talk about paranoia.

Great (1, Funny)

MrRuslan (767128) | more than 10 years ago | (#9138055)

Pretty soon they will find a way to desipher hidded messeges from human and animal farts.

bah (3, Insightful)

awing0 (545366) | more than 10 years ago | (#9138059)

I'm still not going to give up my Model M.

80% accuracy can be useless... or not (4, Interesting)

shoppa (464619) | more than 10 years ago | (#9138061)

80% accuracy is far from perfect. For instance, an OCR application that returned only 80% accuracy would probably be rejected by the vast majority of users, as this means hundreds of errors to be corrected per page.

OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.

Re:80% accuracy can be useless... or not (2, Interesting)

javatips (66293) | more than 10 years ago | (#9138198)

Even if the password is recorded once, this will reduce the keyspace by 80%. Which is not bad if you want to do a brute force attack.

Also, if the software provide with the estimated value for the accuracy of each keystroke (and which other key stroke may be likely for the produced sound) then you can direct your keyspace search to the most likely key first.

One of the problem I have with this technique is that the guy had to record the sound of each key 30 times before starting to try to recognize keystroke. This is time consuming and requires physical access to the keyboard.

A camera or two well placed in the work environment will probably give you a better recognition rate and would take a lot less time to setup.

Re:80% accuracy can be useless... or not (3, Informative)

ArsenneLupin (766289) | more than 10 years ago | (#9138304)

Even if the password is recorded once, this will reduce the keyspace by 80%.

Actually, it will reduce the key space by much more than that. Assume a 10 char password, with each char picked among 96 (Ascii without ctrl chars).

Without any help, you'd have 96**10 = 66483263599150104576 possibilities to try out.

By having the output from the algorithm, and assuming only two of its guess are false, you'd only have to try 10*9/2*96*96 = 414720 combinations.

Well, of course, you don't know that exactly two characters are wrong. So it may indeed be three, or it may be just one. But, by using a smart algorithm, you'd still have to try out only 414720 passwords on average (first try out exact match, then passwords with 1 wrong char, then with 2, then with 3, etc).

So, it's a much bigger reduction of keyspace than 80%.

Of course, if the program can give you "hints" about which exact character(s) it things might be wrong, the keyspace will be reduced even further.

Re:80% accuracy can be useless... or not (0)

Anonymous Coward | more than 10 years ago | (#9138230)

Your comparison to the OCR program is baseless, an eavesdropper will not care a great deal about minor errors in what is being recieved, the general gist of what is being typed can be picked up.
Having 80% of a password is pretty much enough to guess the whole thing.

Re:80% accuracy can be useless... or not (2, Interesting)

the_mad_poster (640772) | more than 10 years ago | (#9138268)

Not to be a math nazi... but to just squeeze out the minimal qualification of "hundreds" of errors per page, assuming you're speaking at the granularity of single words (since that's the granularity spell checks work at), you'd have to have 1000 words per page. I doubt most professional documents would have that many words per page (and you'd have to do it at an 8 point font to make it happen anyway), so it may be of some use after all, especially where accuracy is less important, or the documents are small. If it had other benefits, they may well override the low accuracy rate.

Re:80% accuracy can be useless... or not (0)

Anonymous Coward | more than 10 years ago | (#9138313)

Well, if a password is all one is looking for, I think 80% accuracy is great!

Re:80% accuracy can be useless... or not (1)

gtog (582100) | more than 10 years ago | (#9138335)

"OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough." Which is not unlikely for most Windows users.

LED clock (3, Funny)

donnyspi (701349) | more than 10 years ago | (#9138066)

I can't even tell what freakin time it is on my LED clock from ThinkGeek, much less deciper keyboard clicks and modem blinks :-)

This is easy to overcome (4, Funny)

JosKarith (757063) | more than 10 years ago | (#9138070)

Al you have to do is install voice-recognition software, then train it to only understand you when you speak in a broad Glaswegian accent.
Thereby ensuring NOBODY's going to be able to decipher a word you're saying.

Re:This is easy to overcome (0)

Anonymous Coward | more than 10 years ago | (#9138324)

The problem with that theory is that not even a computer with voice recognition could understand a Glaswegian accent.

Well, maybe a beowulf cluster of... oh nevermind.
It's hopeless I tell you. HOPELESS!

I doesn't matter (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9138074)

The reality is if someone reallio TRUELIO WANTS!! to get into your account, they WILL succeed.

I think more effort should be put into hindering crackers eforts once they are inside the system rather than having a completly open system with never good enough security.

Safegaurds!

Re:I doesn't matter (0)

Anonymous Coward | more than 10 years ago | (#9138190)

Please sober up before writing comments in the future. Thank you.

ATM sounds (2, Interesting)

monkeyserver.com (311067) | more than 10 years ago | (#9138075)

Maybe I am remembering wrong, but I think old ATMs used to have slightly different tones for the different buttons, which is dumb, but sounds like something some engineer would do without thinking.

This also got me thinking, I used to have an old MAC IIe, when you selected menu items (from that top mac tool bar) different pitches were emitted from the pc, they were quiet and possible actually created from the guns in the tube itself, but this type of thing could be used to figure out what ppl are doing... idontevenknow....

Monitor whine (1)

Gadgetfreak (97865) | more than 10 years ago | (#9138240)

I remember an article a while ago about determining what's displayed onscreen based on the electron guns in the monitor. My ViewSonic, which is relatively new, but on the cheap end, makes a barely audible high pitched whine that varies with the brightness and area of what's displayed. It's not nearly enough for a person to determine what's on the screen, but perhaps some tuned sensors could.

No wonder... (0)

Anonymous Coward | more than 10 years ago | (#9138077)

The guy is from IBM, so he must have been measuring those IBM keyboards that go

CLICK!

on the way down and another

CLACK!

on the way up - you can hear someone typing seven rooms away.

Re:No wonder... (1)

1eyedhive (664431) | more than 10 years ago | (#9138178)

this is the keyboard they call a tank -er- model M.
I have two of them, very noisy, very resiliant, and very heavy.

i'm not sure these board would be vulnerable to what the grandparent suggests, as the model M's keys operate independant of each other (seperate coil springs), granted someone could figure out the frequency of the keys, but that sounds like a lot of work.

A simple solution to this problem:
use a white noise generator, placed under or near the keyboard in question. Hopefully, that'll kick out enough acoustic garbage to scramble the mics.

New Technique for Wireless Keyboard (3, Interesting)

kelseyj (398409) | more than 10 years ago | (#9138079)

This seems like this could be a new method of supporting wireless keyboards. No battery required!

Place clever sig here

Re:New Technique for Wireless Keyboard (1)

Astrorunner (316100) | more than 10 years ago | (#9138134)

actually, thats pretty damn insightful.

More reason than ever... (3, Informative)

Simon Carr (1788) | more than 10 years ago | (#9138086)

To pick up one of these babies [thinkgeek.com] ... C'mon, it's like $400, I need to grab at any justification I can find!

Re:More reason than ever... (1)

appelflapje (655855) | more than 10 years ago | (#9138307)

I have one and it's sweet! :)

The gestures are the real win with this baby.
But you'll make a lot of typo's.

Window navigation is also a blast! Just 'grab' a window and resize/move it with one hand!

Obligatory Heinlien Reference.... (2, Interesting)

Clinoti (696723) | more than 10 years ago | (#9138090)

Sadly I can't quote the exact book nor passage from it, but the story is set with a group of people in a cave at a time of war/experiment.

Anyhow, the coordinator of the group would report the status of the group to the outside via computer. However there was only one computer and she typed on the keyboard by setting her hands under a shelf that masked the users typing. There was no screen. She simply made her notes, requests, etc by typing blindly on that keyboard.

At an old networking facility I worked at we had a similar system in place to enter the server room, there was a keypad set into the wall next to the door and in order to enter your code for entry you had to place your hand inside the little 4X4 box that masked/overlayed the keypad. Add in the background noise from the HVAC systems outside the room and we pretty much had/have a secured system.

Huh (4, Funny)

finkployd (12902) | more than 10 years ago | (#9138101)

Wait, there is a theory that with $200 of equipment, you can get 80% accuracy on this. Is there any reason why this is still just a theory? Can anyone scrap together the $200 to test this theory?

If only science weren't so expensive. Imagine how many other theories we could test if we could somehow get our hands on $500!

Finkployd

will never break my password (4, Funny)

GarbanzoBean (695162) | more than 10 years ago | (#9138120)

I don't type my passwords. I use voice recognition software and just say them. No clicks to overhear baby!!!

Doh

Hmmm (2, Interesting)

SILIZIUMM (241333) | more than 10 years ago | (#9138126)

Can you say "tinfoil hat" ?

Easy way around this (0)

Anonymous Coward | more than 10 years ago | (#9138127)

Cough loudly while typing softly.

Re:Easy way around this (1)

mrtroy (640746) | more than 10 years ago | (#9138151)

Cough loudly while typing softly
Well anyone who has been late for work knows that trick anyways :P

It is done just after the coughing loudly while sitting down quietly.

Yeah ... RIGHT (3, Insightful)

ninewands (105734) | more than 10 years ago | (#9138131)

So, each key on a membrane keyboard makes a unique sound? I HOPE they try to patent this technology ... that is just SO obvious ... but is it practical in application?

Eighty percent accuracy after "voiceprinting" each key thirty times and using neural nets to arrive at an abstract sound signature for each key? Of course, the simple expedient of changing keyboards will defeat that. Or by the other obvious antidote ... background noise! Better be some damned high-value information you're after bucko!

Blinking lights on a modem can be decoded to yield the byte values sent and received? DUH ... also obvious ... that's why they are labelled "TD" and "RD"! Also easily defeated by simple piece of black tape.

Sleep well tonight, your AFDB Brigade is on duty and alert!

Re:Yeah ... RIGHT (2, Insightful)

evanbd (210358) | more than 10 years ago | (#9138326)

So, had this actually occured to you before the article was posted? If so, nicely done -- you're more creative than I am. But for the vast majority of people, this is non-obvious until it's been pointed out. Defeating it probably isn't hard, just like with the modems. However, in areas where security is that important, it still has to be defeated, which requires action. These articles are important simply because they point out security risks that most people would have thought impossible.

Can be done by ear as well (4, Interesting)

shamir_k (222154) | more than 10 years ago | (#9138142)

I had this teacher who also did some network consulting. He told us of a case where he knew somebody was logging on at a client's site using his password, but he couldn't figure out how his password was being hacked. He noticed that whenever he was logging in, a particular secretary used to hang around. He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

Not really that worrying (1)

barcodez (580516) | more than 10 years ago | (#9138147)

The fact remains with all these things that you have to make your security procautions good enough so that it is more effect get through them than it's worth to do it. For example say I had 20 in my back account, nobody would spend 100 in time or money to get to it. This keyboard tapping proof of concept will not cause everyone to stop using typed passwords. Much like that ability to factorise large primes hasn't stopped people using RSA.

Re:Not really that worrying (1)

barcodez (580516) | more than 10 years ago | (#9138170)

Factorise large numbers on large prime... is what I meant. I wish you could edit posts.

IT professionals: don't ignore this (5, Interesting)

jrm228 (677242) | more than 10 years ago | (#9138149)

It's easy to dismiss this right out, but for people who follow the intelligence industry this isn't new. Spooks can already listen to conversations through windows with lasers that measure vibration, and use filter technology to eliminate relatively constant background noise (e.g. a shower running). Combine that with some keyboard listening technology that's been in development for a long time: (see BBC 2001 reference) [bbc.co.uk] and suddenly IT security becomes a lot more interesting.

As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.

Future - Speech Recognition (3, Funny)

jabex (320163) | more than 10 years ago | (#9138150)

Good thing the whole future of "speech recognition" didn't pan out. Oh those silly Star Trek episodes, everyone can hear when Picard announces his secret password to everyone!

This technology was bound to emerge (5, Interesting)

Handover Slashdot (255651) | more than 10 years ago | (#9138154)

For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?

Switch Lights (1)

Sinus0idal (546109) | more than 10 years ago | (#9138159)

Would the same modem blinking affect be observed on network switches or routers which have LED indicator lights?

In other news: (4, Funny)

Big Nothing (229456) | more than 10 years ago | (#9138163)

In other news: hackers can connect to the internet by whistling into the phone.

Re:In other news: (1)

Mr_Silver (213637) | more than 10 years ago | (#9138334)

In other news: hackers can connect to the internet by whistling into the phone.

Bah, thats nothing. I uuencode all my attachments by hand.

Sneakers (3, Informative)

ultrasonik (775562) | more than 10 years ago | (#9138169)

This is old news. Ever see the movie Sneakers from 1992?

Re:Sneakers (0)

Anonymous Coward | more than 10 years ago | (#9138258)

Don't look... llisten!

this must be a bong story (0)

Anonymous Coward | more than 10 years ago | (#9138175)


you know , after a few blasts of the bowl with the room thick with smoke someone has said "so dudes, i reckon that its possible to.... "

Military Equipment != Just Theory (1)

Kainaw (676073) | more than 10 years ago | (#9138181)

Of course, a whole lot of this is just theory.

A keyboard bug is not uncommon in the military. I didn't use one because it wasn't part of my job, but I did see one in use at communications/electronics school. It is more than 80% accurate. They also had one that listened to monitor frequencies to recreate what was on a monitor's screen. That was more flaky. The fuzziness was OK for trying to make out plain text, but when windows and such were involved it became an unreadable mess.

Hmm.. (1)

Fullmetal Edward (720590) | more than 10 years ago | (#9138200)

80% accuracy?

So is that like

Howdy sup m8
becoming
HAIL ALLAH! WE BLOW UP OURSELVS TOMORROW!

Whenever the FBI/CIA/the smurfs want some reason to put us in jail?

No worries. (2, Funny)

Chess_the_cat (653159) | more than 10 years ago | (#9138205)

Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

My Model M doesn't have a rubber membrane so I'm not worried. Then again you don't need a microphone to hear me typing on it. My neighbours can hear me typing. If someone were to stick a microphone up to it I'd be interested to know how much of their hearing they'd retain.

yah ... (1)

Errtu76 (776778) | more than 10 years ago | (#9138216)

Despite the fact that these are theories and not proven whatsoever, isn't it a bit obvious if on a weekday morning you enter your office and find microphones pointed at your keyboard? Why not place camera's instead? Or how about a person looking over your shoulder?

Simple workaround for this 'security' issue: turn up the radio.

No big deal! there is keylogger! (1)

earthstar (748263) | more than 10 years ago | (#9138218)

Whaz the big deal?
There has always been keylogger software which are easy to use and give the full text of whatever has been typed on the keyboard....and 1000's of them can be found allover the net!

The only thing may be that they cant be used in ATM's..............but anyway even with those electronic acoustic gadggets , how are they gonna impant it inside the ATM room?Sure some1's gonna find them and remove them.

The Idea isnt great really....

Easy way to defeat this (2, Insightful)

bdigit (132070) | more than 10 years ago | (#9138227)

Type in a bunch of random letters, or even a fake password then hold the backspace key down. That will only make sound once and you can have multiple deletes confusing the listener.

bad musician to the rescue (1)

moviepig.com (745183) | more than 10 years ago | (#9138228)

Most PCs have a speaker, right?

Run a keyboard demon that "accompanies" your every click with randomly chosen acoustics.

This gives me a great idea... (1)

ites (600337) | more than 10 years ago | (#9138249)

A replacement for the expensive, complex, and unreliable bluetooth and infrared protocols used for wireless keyboards...

The AudioWiFi keyboard (or HiFi, maybe): no cables, no batteries, no line of sight. Just a microphone on the PC that listens to your keystrokes and learns what they mean.

With 80% accuracy it wudls br possublr ti typr entirr dicunents witg onlu a feq ertors.

And keep the music down!

Click-click (Beep!) Click-click (Beep!) (1)

dpbsmith (263124) | more than 10 years ago | (#9138278)

Sometimes keyboard noise can be very expressive even without computer analysis. I've occasionally heard something like this from several cubes away:

Click-click (Beep!) Click-click (Beep!) (Long pause) (Mouse click, mouse click). Click-click (Beep!) Click-click (Beep!) (Pause) Click-click (Beep!)

Followed by a primal scream.

Fine with me (1)

MxReb0 (443442) | more than 10 years ago | (#9138295)

If someone cares enough and is smart enough to decipher what I'm typing by sound, they deserve to know. They would however, realize that it was a mistake due to how uninteresting any data they collect from me would be.

model M (1)

Texodore (56174) | more than 10 years ago | (#9138297)

All I know is you don't need a bunch of expensive equipment to pick up sounds from my IBM Model M keyboard.

Fear and Paranoia Abound (5, Insightful)

List of FAILURES (769395) | more than 10 years ago | (#9138319)

The ability to decipher what someone types based on the key clicks is quite interesting, but merely conceptual. Certainly, there are plenty of security holes in any technology. This implies that nothing is secure. However, you cannot sit awake at night worrying that someone wants to spy on your personal data. If you do, the you must have a mental condition. Just take a step back for a few minutes and look at the world around you. Think about your life and the things that have happened to you. Just from your own perspective, how many times have you been burgled? Car(s) stolen? Been questioned or interviewed by the authorities? Had important data intercepted and used against you (I'm not talking about homework assignments in grade school)? Actually had identity theft perpetrated against you regardless of using fairly normal measures against discovery? Actually had a system compromised? I think that most of us can attest to the fact that, in reality, this kind of thing happens less frequently than the fear mongers want you to believe. Of course, it does happen, and when it happens to you, it makes you feel like you're just one of many. But this is not the truth. The real truth is that you must use common sense regarding your personal data. Assuming that someone is standing behind you looking over your shoulder to snag your ATM PIN is a sickness. However, being cautious and trying to obscure your keystrokes is reasonable.

If you need to dispose of something with a credit card or bank account number printed on it, you could reasonably buy a paper shredder. This s warranted. However, I prefer the much simpler "temporal/spatial displacement" approach. It's about the highest level of paranoia I, peronally, indulge in. You simply tear off about two thirds of the printed account number and throw away the original document. It only has a few digits of the account number. Likely, not enough to be of use to a dumpster diver. Then you take the two thirds of the number that you tore off of the original document and tear it in half. Take it to work, or to a store or some other location and only dispose of one half of that remaining two thirds. Finally, after a wait of as long a period of time as you wish, dispose of the last bit at another remote location. (A friend's house, your parent's place, a bar, etc...) Only the most meticulous of identity thieves will bother tracking your actions in that way. If you have that level of snoop on your tail, I think you've got bigger problems than simple identity theft. You're either delusional, or you have really upset someone VERY HIGH UP.

So people, put down the crack pipes and get to realizing that there are VERY few people who care about you or your data. Fight the fear. Pound paranoia into the ground. There is little to be afraid of.

no theoretical background! (1)

G. W. Bush Junior (606245) | more than 10 years ago | (#9138332)

"Of course, a whole lot of this is just theory."

Isn't that the exact opposite of what the article says?

Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...