← Back to Archives

Microphones can record keystrokes

hacks

Microphones placed near keyboards can record keystrokes ("Keyboard Acoustic Emanations Revisited"). Doug and colleagues have a new paper that talks about how their new algorithm package can record keystrokes... without knowing anything about the person, keyboard or their typing style... and the microphone doesn't seem to need to be in the same room.

(I can't seem to leave comments on blogger blogs anymore due to their new CAPTCHA system... so the below would have ideally been a comment. Full disclosure: I haven't read the paper yet, but I will.)

[More:]

My first thoughts are about how we could foil such a scheme. Could I record a bunch of people typing expletives on different keyboards and play it while I type to confuse these algoritms? (that is, could it distinguish between real and played-back recordings... can it distinguish multiple typers?) Another idea: Could I use a keyboard where the alphanumeric keys randomly changed over some timescale? (Granted, this would be a major pain in the ass if the timescale was too short.)

As I work in electronic voting, I wonder if this could be applied to touchscreens... that is, could I place a WiFi-enabled microphone in a voting booth and be able to tell how someone voted via recording the sounds of the selections on the touchscreen? (This would also be valid for ATMs although those are typically more noisy environments.)

I also wonder if a production version of this system could be used to help usability of systems... for example, a computer could say, "I realize you've just typed in the password to your account three times and that you've typed the correct keys corresponding to the password, however it still does not seem to authenticate. Might you have the caps-lock on?" How could we ensure users that helpful systems like this aren't doing other, more nefarious things?

Finally, with many computers coming from the factory with microphones on-board, how long will it be before crackers can exploit this to log keystrokes... or simply someone on the other end of a conference call or Skype conversation?

Yikes. Fascinating.

UPDATE [2005-09-13 13:11:48]: This story hit Ed Felten's blog, then Bruce Schneier's blog and now is on slashdot; I'm seeing mucho traffic from them. Two quick updates:

  • I've now read the paper and most of my ruminations above still stand. This is not easy to defeat but not as easy of an attack as I initially thought.

  • I can now leave comments on blogger blogs... seems that I had Firefox configured to reject cookies from blogger.com and to allow them from www.blogger.com. Here's a +1 for better cookie management in Firefox!