Researchers at the University of California, Berkeley, have discovered that by making highly accurate audio recordings of keyboard strokes they were able to reconstruct e-mail messages, retrieve data entered into a report, and recreate passwords typed into a secure Web site, essentially overhearing Internet conversations.
Researchers Doug Tygar, Li Zhuang, and Feng Zhou of Berkeley, among others, took several 10-minute sound recordings of people typing at a keyboard. They then used a computer algorithm program to analyze the sounds, isolate the keystrokes from one another, and categorize the letters into words based on statistical probability.
“Using statistical learning theory, the computer can categorize the sounds of each key as it’s struck and develop a good first guess with an accuracy of 60% for characters and 20% for words,” says Zhuang. “We then use spelling and grammar checks to refine the results, which increased the character accuracy to 70% and the word accuracy to 50%.”
The recording is then played back repeatedly, allowing the program to learn and increase its accuracy rate. The algorithm in the Berkeley study can adapt to a variety of typing styles and was able to accurately detect particular patterns against some background noise. “Background noise definitely made it harder to recover accurate text, but the differences became smaller after several rounds of feedback,” says Tygar. “Given enough tries, the computer algorithm will eventually come up with a pretty good estimate of what was typed.”
According to the researchers, once the system is trained, recovery of typed data becomes an elementary process, even in situations where the data was not in English, such as in the case of a code or password. After 20 learning cycles, the algorithm was able to accurately retrieve 69% of several 10-character passwords, 77% of eight-character passwords, and 90% of five-character passwords. The researchers were able to make the recordings using readily available over-the-counter equipment. “We didn’t need high-quality audio to accomplish this,” says Zhou. “We just used a $10 microphone that can be easily purchased in almost any computer supply store.”
Though the researchers did not use the shift, control, backspace, or caps lock keys in their experiments, they believe they may eventually be able to account for those keys as well.
The research raises serious concerns about the security of typed messages, especially given the number of secure transactions that now take place over the Internet. “The message from this study is that there is no easy escape from this acoustic snooping,” says Tygar. “The type of keyboard you use doesn’t matter, your typing proficiency doesn’t matter, and the background noise can be overcome.” -Patrick Tucker
Source: University of California, Berkeley, Media News Center, 101 Sproul Hall, Berkeley, California 94720. Telephone 510-643-7741. Web site http://www.berkeley.edu/news.
Originally published in THE FUTURIST, January-February 2006