New acoustic attack steals data from keystrokes with 95% accuracy::A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%.

  • Coreidan@lemmy.worldEnglish
    12910·
    2 years ago

    I’ll believe it when it actually happens. Until then you can’t convince me that an algorithm can tell what letter was typed from hearing the action through a microphone.

    This sounds like absolute bullshit to me.

    The part that gets me is that the ONLY reason this works is because they first have to use a keylogger to capture the keystrokes of the target, then use that as an input to train the algorithm. If you switch out the target with someone else it no longer works.

    This process starts with using a keylogger. The fuck you need “ai” for if you have a keylogger?!? Lol.

    • Obsession@lemmy.worldEnglish
      39·
      2 years ago

      That’s pretty much what the article says. The model needs to be trained on the target keyboard first, so you won’t just have people hacking you through a random zoom call

    • LouNeko@lemmy.worldEnglish
      151·
      2 years ago

      I think you might have misunderstood the article. In one case they used the sound input from a Zoom meeting and as a reference they used the chat messenges from set zoom meetings. No keyloggers required.

      I haven’t read the paper yet, but the article doesn’t go into detail about possible flaws. Like, how would the software differentiate between double assigned symbols on the numpad and the main rows? Does it use spell check to predict words that are not 100% conclusive? What about external keyboards? What if the distance to the microphone changes? What about backspace? People make a lot of mistakes while typing. How would the program determine if something was deleted if it doesn’t show up in the text? Etc.

      I have no doubt that under lab conditions a recognition rate of 93% is realistic, but I doubt that this is applicable in the real world. Noboby sits in a video conference quietly typing away at their keyboard. A single uttered word can throw of your whole training data. Most importantly, all video or audio call apps or programs have an activation threshold for the microphone enabled by default to save on bandwith. Typing is mostly below that threshold. Any other means of collecting the data will require you to have access to the device to a point where installing a keylogger is easier.

      • imaradio@lemmy.caEnglish
        7·
        2 years ago

        It sounds like it would have to be a very targeted attack. Like if the CIA is after you this might be a concern.

            • LouNeko@lemmy.worldEnglish
              4·
              2 years ago

              Good question. Since Zoom is mainly a buisness tool and a lot if high profile companies rely on it - if there’s even the suspicion that zoom uses collected data to steal passwords or company secrets, they will bring the hammer down in the most gruesome class action lawsuit. Companies pay good money for the buisness license and Zoom will certainly not bite the hand that feeds them.
              However, this might not apply to private Zoom users. And I’m certain that Zoom does some shady stuff behind the scenes with the data they collect on private individuals beyond simply “improving our services”.

    • Ironfist@sh.itjust.worksEnglish
      6·
      2 years ago

      I’m skeptical too, it sounds very hard to do with the sound alone, but lets assume that part works.

      The keylogger part could be done with a malicious website that activates the microphone and asks the user to input whatever. The site would know what you typed and how it sounded. Then that information could be used against you even when you are not in the malicious website.

      • Imgonnatrythis@lemmy.worldEnglish
        6·
        2 years ago

        Hard to do, but with a very standard keyboard like a Mac keyboard the resonance signatures should be slightly different based on location on the board, take into account pattern recognition, relative pause length between keystrokes, and perhaps some forced training ( ie. Get them to type know words like a name and address to feed algorithm) I think it’s potentially possible.

    • barryamelton@lemmy.mlEnglish
      5·
      2 years ago

      it doesn’t need a keylogger. Just needs a Videocall meeting, a Discord call meanwhile you type to a public call, a recording of you on youtube streaming and demoing something… etc.

    • HankMardukas@lemmy.worldEnglish
      42·
      2 years ago

      It’s bad now, but where we’re at with AI… It’s like complaining that MS paint in 1992 couldn’t make photorealistic fake images. This will only get better, never worse. Improvements will come quickly.

    • egeres@lemmy.worldEnglish
      1·
      2 years ago

      Is gonna sound crazy, but I think you can skip the keylogger step!

      You could make a “keystroke-sound-language-model” (so like a language model that combines various modalities, e.g, flamingo), then train that with self-supervised learning to match “audio” with “text”, and have a system where:

      • You listen to your target for a day or so, let’s say, 1000 words typed in 🤷🏻‍♂️
      • Then the model could do something akin to anchor tokens in language-to-language translation, except in this case it would be more like fixing on easy words such as “the” to give away part of the sound-to-key map. Then keep running this mapping more parts of the keyboard
      • Eventually you try to extract passwords from your recordings and maybe bingo

      I think it’s very narrow to think that, just because this research case requires a keylogger, these systems couldn’t evolve other time to combine other techniques

  • abraham_linksys@sh.itjust.worksEnglish
    251·
    2 years ago

    It looks like they only tested one keyboard from a MacBook. I’d be curious if other keyboard styles are as susceptible to the attack. It also doesn’t say how many people’s typing that they listened to. I know mine changes depending on my mood or excitement about something, I’m sure that would affect it.

  • quadropiss@lemmy.worldEnglish
    18·
    2 years ago

    You have to train it on per device + per room basis and you don’t give everything access to your microphones

    • Sloogs@lemmy.dbzer0.comEnglish
      9·
      2 years ago

      I was just thinking, streamers might have to be careful actually — you can often both see and hear when they’re typing, so if you correlated the two you could train a key audio → key press mapping model. And then if they type a password for something, even if it’s off-screen from their stream, the audio might clue you in on what they’re typing.

    • Botree@lemmy.worldEnglish
      2·
      2 years ago

      Never knew my mutant blue switch keeb would come in handy one day. I’ve lubed the blue switches and added foam and tapes so now it sounds like a clicky-thocky blue-brown switches keeb.

  • Buddahriffic@lemmy.worldEnglish
    61·
    2 years ago

    When your ADHD fidgeting and a mic attached to your head become a super power. No one can read my keystrokes!

  • 𝔼𝕩𝕦𝕤𝕚𝕒@lemmy.worldEnglish
    51·
    2 years ago

    Sweet! More man-made horrors beyond my comprehension! I sure am glad we’re investing our time into things that will never be stolen or misused!

  • Hal-5700X@lemmy.worldEnglish
    3·
    2 years ago

    Will a faraday bag help with a phone? Seeing how it blocks connections. You can unplug desktop mics.

  • Marxism-Fennekinism@lemmy.mlEnglish
    3·
    2 years ago

    A very widespread implication of this is if you are on a call with a bad actor and are on speaker phone, and you enter your password while talking to them, they could potentially get that password or other sensitive information that you typed.

    Assuming it really is that accurate, a real-world attack could go something like this. Call someone and social engineer them in a way that causes them to type their login credentials, payment information, whatever, into the proper place for them. They will likely to this without a second thought because “well, I’m signing into the actual place that uses those credentials and not a link someone sent me so it’s all good! I even typed in the address myself so I’m sure there’s no URL trickery!” And then attempt to extract what they typed. Lots of people, especially when taking calls or voice conference meetings or whatever from their desk, prefer to not hold their phone to their ear of use a headset mic and instead just use their normal laptop mic or an desktop external one. And, most people stop talking when they’re focused on typing which makes it even easier. Hell if you manage to reach, say, the IT server department of a major company and play your cards right, you might even be able to catch them entering a root password for a system that’s remotely accessible.

  • thefloweracidic@lemmy.worldEnglish
    2·
    2 years ago

    From the article:

    The researchers gathered training data by pressing 36 keys on a modern MacBook Pro 25 times each and recording the sound produced by each press.

    In their experiments, the researchers used the same laptop, whose keyboard has been used in all Apple laptops for the past two years, an iPhone 13 mini placed 17cm away from the target, and Zoom.

    Now they should do this under real usage and see if they get anywhere close to 95% accuracy. Phones are usually in pockets, people listen to music, not everyone has a MacBook.

    I think it will be difficult for the average person to use this attack effectively, but I think this will become some sort of government spy thing for sure.