Two researchers from Augusta University in Georgia, US, have demonstrated a new way to steal people’s passwords that would put even James Bond to shame.
Last week, researchers Alireza Taheritajar and Reza Rahaeimehr published an article titled “Acoustic Side Channel Attack on Keyboards Based on Typing Patterns,” which is as weird as it sounds.
According to the research, there is a way to deduce a person’s password (or any other word typed into a computer) by simply listening to the type.
Is it attainable?
The method is not as accurate as some other side channel attacks, as the researchers suggested that the accuracy of this attack is around 43%. To accomplish this, the attackers only need a relatively small sample of the victim’s typing (apparently only a few seconds), but more than one recording.
In addition, they would need an English dictionary. An extenuating circumstance here is that the recording does not have to be particularly “clean”. It can have significant background noise, or come from multiple different keyboards, and still work.
In theory, a threat actor could place a smartphone, or similar device with a microphone, in relative proximity to the victim and record the typing. From that recording, they would be able to identify certain patterns, which could then be used to determine potential words. The English dictionary would help predict which words would make the most sense in the context of the sentence.
While it sounds ominous, there are quite a few moving parts that need to be perfectly aligned before the attack can be executed.
First, the attacker must either be very close to the victim, have a recording device nearby (a smart speaker would apparently suffice), or have installed malware capable of using the computer’s microphone. Then the attacker must enter his password, as well as a number of other words.
They can’t be a professional typist, or type fast in general, because that will confuse the predictions. The attackers can then analyze the recordings and still only have a 43% chance of success.