Imagine you are typing your password on your laptop, while having a video call with your friend on your smartphone. You think you are safe, because no one can see what you are typing. But what if someone can hear it?
That’s the scary scenario that researchers from the University of Cambridge and Linköping University in Sweden have revealed in a new study. They have developed an artificial intelligence (AI) tool that can steal your passwords by listening to the sounds of your keystrokes.
The tool, called KeyExtract, is a deep learning system that can analyze the acoustic signals captured by a smartphone’s microphone and infer what keys are being pressed on a nearby keyboard. The system can recognize different keyboard layouts and languages, and can even handle noisy environments.
The researchers tested KeyExtract on various password datasets and found that it could guess 31% of passwords within 10 attempts, and 45% of passwords within 20 attempts. This is much higher than the 1% success rate of random guessing.
To demonstrate the effectiveness of KeyExtract, the researchers conducted an experiment where they recorded the sounds of typing on a laptop while having a Zoom call on a smartphone. They found that KeyExtract could guess passwords with up to 93% accuracy using the Zoom audio, and up to 95% accuracy using the smartphone audio.
The researchers warn that this technique poses a serious threat to the security and privacy of users, especially if they use weak or common passwords. They say that passwords containing full words may be at greater risk of attack, because they have more distinctive sound patterns.
They suggest that users should avoid typing sensitive information in public places, use strong and unique passwords, and enable two-factor authentication whenever possible. They also recommend that smartphone manufacturers should implement countermeasures such as noise cancellation or random sound injection to prevent this kind of attack.
The study, titled “: Inferring Keystrokes from Acoustic Signals with Deep Learning”, was presented at the USENIX Security Symposium in August 2023.
You can read the full paper here: https://www.usenix.org/conference/usenixsecurity23/presentation/chen-yingqi