Blog

Jun 14, 2023

The sound your keystrokes make is enough for AI to steal them — how to stay safe

New acoustic attack steals passwords right from your keyboard If malicious apps and other cyberthreats weren’t enough to worry about, a team of researchers have now developed a new attack technique

New acoustic attack steals passwords right from your keyboard

If malicious apps and other cyberthreats weren’t enough to worry about, a team of researchers have now developed a new attack technique that can steal passwords and other data from your keyboard just by listening to your keystrokes.

As reported by BleepingComputer, researchers from several British universities have trained a deep learning model capable of stealing data from keyboard keystrokes recorded with a microphone.

Surprisingly, this new acoustic attack can already do this with an accuracy of 95% when using a microphone placed next to a keyboard or with 93% accuracy when keystrokes are recorded over Zoom or other video conferencing software.

Besides your passwords, this attack can also be used to steal messages or any other sensitive information typed on a victim’s keyboard on one of the best laptops.

For this attack to work, an attacker first needs to record keystrokes from a target’s keyboard either using a nearby microphone or through a smartphone that has been infected with malware. At the same time, keystrokes can also be recorded through Zoom calls or other video chat apps.

In order to train the deep learning model to recognize keystrokes by sound, the researchers behind this project gathered data by pressing 36 keys on a MacBook Pro 25 times each and recording the sounds produced by each keypress using an iPhone 13 mini placed 6.5 inches away from the laptop.

From here, the researchers produced waveforms and spectrograms from these recordings to help visualize the differences in sound between each key that was pressed. The spectrogram images produced from this were then used to train the image classifier ‘CoAtNet’.

When it came to deciphering keystrokes by the sounds they made, CoAtNet did so with 95% accuracy using a smartphone to record them, 93% accuracy over Zoom and a lower but still very usable 91.7% accuracy over Skype.

According to the paper (PDF) published by the researchers, using a different typing style or randomized passwords can help protect you from acoustic side-channel attacks. However, they also suggested having white noise or even software-based keystroke audio filters playing in the background while typing on your keyboard.

It doesn’t matter whether you’re using one of the best mechanical keyboards or even a cheaper membrane keyboard, as the deep learning model is still able to steal data based on your keystrokes. Using a silent keyboard or adding sound dampeners to your mechanical keyboard won’t help either.

If you’re worried about hackers or other third parties stealing your passwords from the sound your keystrokes make, you may want to consider using one of the best password managers to store and autofill your passwords. However, even then an acoustic attack could be used to figure out your master password, which puts all of your other passwords at risk.

In a statement sent over to Tom's Guide, a Zoom spokesperson provided further insight on how users of its video conferencing software can protect themselves from acoustic attacks, saying:“Zoom takes the privacy and security of our users seriously. In addition to the mitigation techniques suggested by the researchers, Zoom users can also configure our background noise suppression feature to a higher setting, mute their microphone by default when joining a meeting, and mute their microphone when typing during a meeting to help keep their information more secure.”

Now that we’ve seen researchers use AI to develop new acoustic attacks, hackers will likely follow suit. Fortunately though, Microsoft, Apple and other computer makers are aware of these kinds of attacks and will no doubt work to add mitigations against them to their respective operating systems and devices.

Instant access to breaking news, the hottest reviews, great deals and helpful tips.

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This mysterious new malware uses Wi-Fi networks to give hackers your exact location

Millions of Duolingo users at risk from targeted phishing attacks — see if you're affected

Stranger Things director says season 5 won't follow Game of Thrones finale's example

By Alyse StanleyAugust 26, 2023

By Tom WigginsAugust 26, 2023

By Tom WigginsAugust 26, 2023

By Alan Martin August 26, 2023

By Alan Martin August 26, 2023

By Rory MellonAugust 26, 2023

By Brittany VincentAugust 26, 2023

By Aatif SulleymanAugust 25, 2023

By Kelly WooAugust 25, 2023

By Ben F. SilverioAugust 25, 2023

By Simon WarrenAugust 25, 2023