this post was submitted on 02 Dec 2023
436 points (95.8% liked)

Technology

60079 readers
3381 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Researchers in the UK claim to have translated the sound of laptop keystrokes into their corresponding letters with 95 percent accuracy in some cases.

That 95 percent figure was achieved with nothing but a nearby iPhone. Remote methods are just as dangerous: over Zoom, the accuracy of recorded keystrokes only dropped to 93 percent, while Skype calls were still 91.7 percent accurate.

In other words, this is a side channel attack with considerable accuracy, minimal technical requirements, and a ubiquitous data exfiltration point: Microphones, which are everywhere from our laptops, to our wrists, to the very rooms we work in.

top 50 comments
sorted by: hot top controversial new old
[–] Waldowal@lemmy.world 101 points 1 year ago (4 children)

New policy from the corporate office: If you are working in a public place, like a coffee shop, please scream while typing your login password.

[–] sanimalp@lemmy.world 47 points 1 year ago

I screamed my password and now I got hacked. Thanks for nothing!

[–] tourist@lemmy.world 10 points 1 year ago

use the onscreen keyboard

much more secure

why won't my bank stop calling me

load more comments (2 replies)
[–] topinambour_rex@lemmy.world 91 points 1 year ago (2 children)

Use a speech to text and they won't be able to hear your keyboard strokes. I know, I'm a genius.

[–] popekingjoe@lemmy.world 27 points 1 year ago (1 children)

Who are you, who are so wise in the ways of science?

[–] kpw@kbin.social 16 points 1 year ago (2 children)
load more comments (2 replies)
load more comments (1 replies)
[–] Cronch@lemmy.world 90 points 1 year ago (2 children)

Quite scary considering the accuracy and how many open mics everyone is surrounded by without even realizing it. Not to mention if any content creator types their password while live streaming or recording they could get their accounts stolen.

[–] vareriu@lemmy.world 47 points 1 year ago (7 children)

One more reason to switch to a password manager, even though they could still find out the master password…

[–] qwertyqwertyqwerty@lemmy.one 30 points 1 year ago (1 children)

Probably still have some safety if you're using two-factor, or have a master key in addition to a password (e.g. 1Password).

[–] mosiacmango@lemm.ee 13 points 1 year ago* (last edited 1 year ago) (1 children)

Or use a local password safe like keepass.

load more comments (1 replies)
load more comments (6 replies)
[–] azertyfun@sh.itjust.works 15 points 1 year ago* (last edited 1 year ago)

This has been a known attack vector for years, and I wonder how no livestreamer has been (publicly) attacked in this way.

I guess in large part this can be attributed to 2FA, passwords just aren't worth much by themselves anymore (well I guess if someone is quick enough they can snipe the OTP as well, but streamers are rarely entering their 2FA while streaming since they're on a trusted device).

In fact the biggest attack vector I'd worry about is the infamous SMS 2FA, which is actually 1FA for password resets, which is actually 0FA "yes dear phone operator I am indeed Mister Beast please move my phone number to this new SIM".

[–] ultra@feddit.ro 83 points 1 year ago* (last edited 1 year ago) (1 children)
[–] paraphrand@lemmy.world 60 points 1 year ago (4 children)

Neat, so when my friends are taking about satisfyingly clackety keyboards I can inform them it’s a security hazard.

[–] AmberPrince@kbin.social 38 points 1 year ago

I'll accept the risk. I need the clicky

[–] ryannathans@aussie.zone 12 points 1 year ago (9 children)

Good luck, I have a non standard key layout

load more comments (9 replies)
load more comments (2 replies)
[–] lolcatnip@reddthat.com 42 points 1 year ago (2 children)

This is why I always make sure there are no boffins around before I start typing.

[–] killeronthecorner@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

If there are boffins around, I start typing out the GDPR guidelines in full

load more comments (1 replies)
[–] laurelraven@lemmy.blahaj.zone 42 points 1 year ago (3 children)

Not to be a jerk, but is this actually new? I've heard of this being done at least ten years ago...

On another note, one way to beat this (to a degree) would be to use an alternate keyboard like Dvorak (though you could probably code it to be able to detect that based on what's being typed)

[–] barsoap@lemm.ee 23 points 1 year ago (5 children)

I think it's largely been a state actor thing. Directional microphone to record your window from across the street, spend significant tax money on crunching numbers on a supercomputer to get at your password kind of thing, I think they already could do it in the 90s. Real-time 95% accuracy on a non-specialised device is a quite different ballpark: Now every skiddie can do it.

load more comments (5 replies)
[–] misophist@lemmy.world 19 points 1 year ago (2 children)

Coding for alternate key mappings is almost as trivial as detecting other languages.

load more comments (2 replies)
[–] frezik@midwest.social 14 points 1 year ago (2 children)

There has been previous work on this, yes. It required a dictionary of suggested words. That would make it useful for snooping most typing, but not for randomly generated passwords. This new technique doesn't seem to have that limitation.

load more comments (2 replies)
[–] NAXLAB@lemmy.world 40 points 1 year ago (1 children)

I think I might have achieved security through obscurity. My custom keyboard is a unique shape and almost all the keys are one unit. Not only is it different enough from a traditional keyboard that the neural network probably won't understand it, the function layers I use obscure whether I'm typing a letter at all.

[–] Outsider9042@lemmy.world 35 points 1 year ago (5 children)
[–] Mr_Blott@lemmy.world 21 points 1 year ago (2 children)

Does that come with free fingerless gloves?

[–] Outsider9042@lemmy.world 15 points 1 year ago (4 children)

No, but it comes with your choice of flavoured frozen yoghurt.

load more comments (4 replies)
load more comments (1 replies)
load more comments (4 replies)
[–] kent_eh@lemmy.ca 29 points 1 year ago

I guess my typos are now a security feature!

[–] stoy@lemmy.zip 25 points 1 year ago (3 children)

I wonder if you need to train it on a specific keyboard before it will work it.

[–] Lemminary@lemmy.world 12 points 1 year ago (1 children)
[–] stoy@lemmy.zip 11 points 1 year ago (1 children)

That would limit the practicallity quite a lot, as deskmats and typing style would change the sound of even a common keyboard.

I also notice that I slightly change my typing style between typing normally and entering my password.

load more comments (1 replies)
load more comments (2 replies)
[–] mski@lemmy.ca 24 points 1 year ago (1 children)

I'd be curious how well this approach translates to multi-lingual keyboard layouts. For english users, perhaps theres another benefit to non-QWERTY layouts (e.g. Colemak or Dvorak) after all? ... and two factor authentication should remain helpful I presume. Especially physical key methods with no audible characters typed (e.g. Yubikey, Titan, etc.)

I was thinking the same, but it would be trivial for software to realize that “fnj xlg” maps to “the dog” with Colemak or Dvorak.

[–] FrankTheHealer@lemmy.world 19 points 1 year ago (11 children)

Can we normalise good but quiet keyboards. Like, I like the tactile feel of using a mechanical, but I hate the sound. Quieter mechanical keyboards aren't a thing but they should be. Now as a security measure if nothing else.

Also Dvorak keyboards I guess

[–] Pinecone@lemmy.world 21 points 1 year ago (2 children)

There are tons of quiet mechanical keyboards. I'm using a low profile optical switch that's quieter than my mouse clicks

load more comments (2 replies)
[–] VelociCatTurd@lemmy.world 15 points 1 year ago (1 children)

There are definitely quiet tactile switches. The reason why they can still make sound is because they’re bottoming out which you don’t have to do.

load more comments (1 replies)
[–] NAXLAB@lemmy.world 11 points 1 year ago* (last edited 1 year ago)

Dvorak is a cypher of Qwerty tho. Anything typed in Dvorak but transcribed as english can be reliably identified and decyphered

load more comments (8 replies)
[–] netchami@sh.itjust.works 16 points 1 year ago (1 children)

Some laptops like the Framework laptop have fingerprint sensors

Physical Security keys like NitroKeys or YubiKeys are another option

[–] Bipta@kbin.social 9 points 1 year ago (1 children)

I don't see the relevance.

[–] netchami@sh.itjust.works 16 points 1 year ago (3 children)

You can use fingerprint or U2F to unlock your password manager and copy the password. That way you don't have to type it in.

load more comments (3 replies)
[–] BearOfaTime@lemm.ee 13 points 1 year ago* (last edited 1 year ago) (1 children)

I never learned to touch-type, so my typing style is very different from most people though I can type fast enough for work.

My typing style only uses 3 fingers, and both hands type keys in the middle of the keyboard.

I wonder if this has any effect on accuracy?

Edit: Article states touch-typing can reduce accuracy. Wonder if that's because they type more softly than us tech gorillas who tend to bash on the keys?

[–] overlordror@lemmy.world 9 points 1 year ago (3 children)

I'm a touch typist who can reach 160wpm when I'm really flowing, I would guess the speed makes accuracy harder to distinguish individual keys than you pressing keys with three fingers.

[–] Dave@lemmy.nz 9 points 1 year ago (3 children)

I type an awful lot slower than you, and still it's faster than I can think. How do you think of what to type fast enough to type at 160wpm?

[–] flipht@kbin.social 11 points 1 year ago

Not the original person you responded to, but I type 120ish wpm. The trick is to try to tap into the same part of your brain that verbalizes words when you talk, rather than the part that composes stuff when you write.

load more comments (2 replies)
load more comments (2 replies)
[–] Render@sh.itjust.works 11 points 1 year ago

I wonder if different switches, keycap profiles, keyboard material ect affect the accuracy?

[–] atrielienz@lemmy.world 10 points 1 year ago

How good does this work if there's other noise pollution? Like music playing etc?

load more comments
view more: next ›