'Whispering keyboards' could be next attack trend

By Niall McKay, Contributing Writer 11 May 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

OAKLAND -- Listen to this: Eavesdroppers can decipher what is typed by simply listening to the sound of a keystroke, according to a scientist at this week's IEEE Symposium of Security and Privacy in Oakland, Calif.

Each key on computer keyboards, telephones and even ATM machines makes a unique sound as each key is depressed and released, according to a paper entitled "Keyboard Acoustic Emanations" presented Monday by IBM research scientist Dmitri Asonov.

All that is needed is about $200 worth of microphones and sound processing and PC neural networking software.

Today's keyboard, telephone keypads, ATM machines and even door locks have a rubber membrane underneath the keys.

"This membrane acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher," said Asonov.

Asonov found that by recording the same sound of a keystroke about 30 times and feeding it into a PC running standard neural networking software, he could decipher the keys with an 80% accuracy rate. He was also able to train the software on one keyboard to decipher the keystrokes on any other keyboard of the same make and model.

Good sound quality is not required to recognize the acoustic signature or frequency of the key. In fact, Asonov was able to extract the audio captured by a cellular phone and still decipher the signal.

"But don't panic," Asonov cautioned. "There are some easy ways to fix the problem." First, close the door in the room where you're working. Second, buy a rubber keyboard coffee guard that will dampen the sound enough to make eavesdropping difficult.

However, Asonov said that he believed it was possible to use acoustical analysis algorithms to decipher key sounds based simply on gathering the data from just a couple of keys and extrapolating what other keys should sound like.

Asonov warned that his work was almost entirely based on the evidence from his experiments and that he has little or no theoretical information to back up his theories. For example, he discovered that it was the membrane that was providing the unique signature simply by cutting a keyboard in two and finding that the neural networking software no longer worked.

Tags: Emerging Information Security Threats,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary