This post is also available in: עברית (Hebrew)
A new study warns that hackers can use artificial intelligence to guess your passwords by simply listening to the sound of your typing during a video call. Researchers say that the popularity of video conferencing tools increased the risk of sound-based cyber-attacks since most devices have built-in microphones.
In the study, the researchers from the University of Surrey, Durham University, and Royal Holloway, University of London, explain how they used machine learning algorithms to create a system that can identify which keys are being pressed on a laptop keyboard with more than 90 percent accuracy, based on sound recordings.
According to Interesting Engineering, the researchers pressed each of the keys on a MacBook Pro (including all of the letters and numbers) 25 times in a row, using different fingers and with varying pressure. The sounds were then recorded both a through Zoom call and on a smartphone placed near the keyboard. The recordings were then used to train a machine learning system to recognize the acoustic signals of each key.
The researchers tested the system on the remaining data and found that it could accurately assign the correct key to a sound 95% of the time on a recording made on a phone, and 93% of the time when it was made over a Zoom call. This is not the first study showing that sound can identify keystrokes, but it seems to be using the most advanced methods and have the highest accuracy.
Dr. Ehsan Toreini, co-author of the study at the University of Surrey said that this type of attack will only become more accurate and widespread over time. He added that since there are more and more household devices with built-in microphones, there need to be public discussions on the regulation of AI.
The researchers say their work highlights the need for public awareness regarding the governance of AI since they claim such acoustic “side-channel attacks” could threaten any keyboard.
When it comes to dealing with such malicious measures, the researchers suggest using biometric passwords or two-step verification systems, or alternatively using the shift key to create a mixture of upper and lower cases or numbers and symbols, since the algorithm has a hard time realizing when the shift key is held or released.
The study was published in IEEE European Symposium on Security and Privacy Workshops.