The unique sounds a keyboard makes as different keys are hit can now be transformed into a reasonable transcription of what was typed, using a new technique developed by computer scientists.
Nefarious hackers could use the technique to eavesdrop on passwords, personal emails and confidential company reports, using nothing but a recording taken with a hidden microphone.
鈥淭his is spying,鈥 says Bruce Schneier, a security expert and cryptographer based in Mountain View, California, US. 鈥淚t鈥檚 definitely a security risk.鈥
Advertisement
Although which key makes which sound is unknown and will vary depending on the keyboard and the person, machine learning and the structure of the English language is used to work it out.
The new eavesdropping method is in contrast to one developed by researchers at IBM, who in 2004 used the unique vibrations produced by each key, along with a copy of what the person was typing, to assign a letter to each sound and then to transcribe new typed sounds.
Totally forbidden
鈥淭he main contribution of our paper is that we do this blind and with no training info,鈥 says Doug Tygar, the computer scientist at the University of California, Berkeley, US, who devised the new technique with colleagues Li Zhuang and Feng Zhou. He claims that system needs only 10 minutes鈥 worth of typing recorded using off-the-shelf audio recorders and microphones.
Each key hits a different part of the keyboard鈥檚 plastic under-plate, resulting in a slightly different sound. The algorithm separates the keystrokes and divides them into 50 classes depending on similarities in frequency and amplitude.
The next step is to it map these classes to the different keys, using the probability of two letters being next to each other in a word. This is done using a knowledge of which pairs of characters, known as 鈥渄igrams鈥 are common, less common and totally forbidden. 鈥淭h鈥 and 鈥渆r鈥 are common, 鈥渜u鈥 is less common and 鈥渂f鈥 is totally forbidden. This technique alone maps 60% of the keystrokes correctly, the researchers claim.
鈥淨uite readable鈥
But Tygar鈥檚 team also applies spelling rules, which correct words from the transcription that do not make sense, such as 鈥渢re鈥, and grammar, which cuts out unlikely combinations such as 鈥渢he a鈥. Word options that have fewer than one-quarter of the characters corrected are then kept and the rest discarded, and the digram algorithm is reapplied.
The process is repeated and the result is a mapping with 92% of the characters correct. These can then be used to transcribe further recordings. 鈥淚t鈥檚 quite readable,鈥 writes Edward Felten, a computer scientist at Princeton University in New Jersey, in his blog.
In an experiment, Tygar鈥檚 team found that even random assortments of characters, such as passwords, could also be estimated using the software. Provided they were buried in a lot of good English, they found that about one in 20 times the software would get the password completely right, arriving at good approximations the rest of the time.
Although this does not sound very accurate, it is trivial for a hacker to try 20 different possible passwords. But Schneier points out that this is unnecessary: 鈥淚f I can read everything you type, I don鈥檛 care about your password.鈥
There are limitations as to what the software can transcribe as it currently recognises only lower case letters and the 鈥渟pace鈥, 鈥渇ull stop鈥, 鈥渃omma鈥 and 鈥渆nter鈥 keys. Tygar believes the algorithm could be tweaked to recognise the delete key because people use it in a very distinctive way, often hitting up to 10 times in a row.
But numbers are harder as there are no forbidden combinations. It could be done, he says, perhaps using other techniques such as a knowledge of the spatial location of the numbers on the keyboard and relating that to the level of similarity in the sounds.
Parked car
The algorithm was also trained with a cellphone ringing in the background, and was still successful. But a second typist in the room might pose a problem, says Tygar, who envisions a hacker parking a car outside an open window, and leaving a long-range microphone trained on the target, to record key strokes.
The algorithm has been programmed in English, but most other languages should be possible as they contain similar digrams and spelling and grammar rules, Tygar says. 鈥淲e have not tried experiments in other languages, but we don鈥檛 see any barrier at all,鈥 he adds.
The paper will be presented at the Conference on Computer and Communications Security in Alexandria, Virginia in November 2005.