Malware Can Hear Your Keyboard Strokes and Reveal Your Password

This post is also available in: עברית (Hebrew)

Research reveals that keystroke sounds can be exploited by malicious actors to reveal sensitive user data, like the text that users are typing into a password box, personal information, credit card details, and more.

According to Cybernews, an “acoustic side-channel attack” on keyboards can evade security measures on devices that use keyboards as their main data entry system. Such side-channel attacks get hold of sensitive data by observing system patterns like timing information, power consumption, or even the sounds made while typing on a keyboard.

However, while previously performed research only managed to successfully decipher keyboard acoustics in controlled environments, a team of scientists from Augusta University managed to decipher and “read” the sounds in a realistic environment.

The paper published by the team reads: “To test our method, we collected the ambient noise and typed text of 20 people based on an IRB-approved approach and obtained approximately a 43% success rate through our experiments.”

The scientists and researchers claim that they’ve achieved these results without any restrictions that limit the participants or the analysis, which means that test subjects were allowed to use any keyboard or typing pattern. While the users typed on their preferred keyboards at their preferred typing patterns, environmental noises were permitted to interfere, while the researchers used low-quality recording devices.

They explain that in order to carry out a successful attack, threat actors would need to collect a data sample of keystroke sound emissions and train a statistical model. The malicious elements can then begin their attack once the model manages to associate keystroke sounds with specific letters. The collection of such acoustic keyboard emissions or typing sounds could be done using a hidden microphone, on-device malware, browser extensions, and many other means leveraging devices‘ built-in microphones without the user’s knowledge.