Clickety-Clack Hack

In recent years, the exponential growth of digital data and the widespread integration of technology into nearly every aspect of modern life have brought about a growing concern regarding the security of this data. This concern stems from various factors, including the increasing frequency and sophistication of cyber attacks, the rise of data breaches targeting both individuals and organizations, and the expanding capabilities of malicious actors seeking to exploit vulnerabilities in digital systems. As society becomes more reliant on digital platforms for communication, commerce, healthcare, and countless other activities, the stakes for protecting sensitive information have never been higher.

One particularly concerning aspect of digital security is the threat posed by side channel attacks. These attacks exploit unintended channels of communication or information leakage in a system, bypassing traditional security measures to access sensitive data. Unlike conventional attacks that target software vulnerabilities or weaknesses in encryption algorithms, side channel attacks focus on exploiting the physical characteristics of a system or its electromagnetic emissions to infer information about the data being processed. Examples of side channels include power consumption, electromagnetic radiation, timing information, and even sound.

In large part due to their ubiquitous use, keyboards have become a popular target of malicious hackers. In particular, these attacks frequently attempt to reconstruct what an individual is typing based on the clickety-clack sounds made by the keyboard (we reported on one such attack recently). Fortunately, many of these exploits work far better under controlled conditions than they can claim to in the real world due to factors like background noise and the unique typing patterns of each person. Unfortunately, a pair of security researchers at Augusta University have found a way to overcome some of these confounding factors.

As with all attacks of this type, the exploit first requires that audio of an individual typing be obtained. This is not as challenging as it might first sound, considering that the sound of keystrokes can be heard in the background of phone or video calls in which an individual might be, for example, typing a password. Noting that the amount of time that passes between pressing different pairs of keys varies, and that individuals tend to type certain key pairs with similar intervals of time in between, the team built and trained a statistical model that can predict the most likely sequence of keystrokes typed by an individual. This model is also given samples of ambient noises, such that they can be ignored when making predictions.

So, how worried should we be about this attack? It does work, but it is still far from perfect. In a trial consisting of 20 participants, in which they were all asked to type a series of common words, the system was found to have achieved an average success rate of 43 percent. This leaves much to be desired, however, it is a bit concerning that these results were obtained under fairly realistic conditions, such as those that might be found in the real world. And as is usually the case, technologies only improve over time. As such, this might not be a big threat today, but tomorrow it may be.

A key assumption of this study is that users maintain a consistent typing pattern. So, it could be possible to avoid revealing private information by pausing for a moment and intentionally doing some slowed down, hunt-and-peck style typing when, for example, entering a password. Moreover, since the system requires audio of typing to work, one could also mute their microphone on calls before typing to stay safe.