Skip to content

Search the site

Hackers achieve 93% word recovery from keyboard noise

Keyboard clicks are giving up more information than you think, according to university researchers

It turns out your clickety-clacks are giving up far much more information than you believe.

This according to a paper from Durham University, the University of Surrey, and Royal Holloway University of London, who combined to discover that our keyboard noise is a much greater tell of our secrets than we would believe.

"The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output," the researchers note.

In other words, when you type, each key makes a distinct noise, and when you spread it all out over the course of an email or blog post, your keystrokes make a little song that lets the attackers know all your passwords.

This means that, for many criminals, the tools needed to conduct password theft are readily available and in can often be obtained with little technical knowledge.

"Python packages such as PyTorch provide free and near-universal access to the tools required to run these models on most devices," the researchers note.

"With the recent developments in both the performance of (and access to) both microphones and [Deep Learning] models, the feasibility of an acoustic attack on keyboards begins to look likely."

The researchers found that by using the sound-capturing method, an attacker could log keystrokes with a 93 percent efficiency rate.

Here is where we lay out the big fat disclaimer: that figure is based on a situation in which the attacker gets a smartwatch placed in an opportune point and the writers themselves admit "it remains unlikely an attacker could covertly place their smartwatch in a private location such as an office."

Such attacks are unlikely to occur in real life and, let's be honest folks, you are far more likely to get pwned by failing to scan your email attachments than some sort of elaborate acoustic-based APT that requires Bond-level placement of listening devices.

But the research does bring up a good point and suggests an interesting new avenue for attack. Pay attention to your noisy typing, it might just end up being your downfall.