The sound your keystrokes make is enough for AI to steal them — how to stay safe
New acoustic attack steals passwords right from your keyboard
If malicious apps and other cyberthreats weren’t enough to worry about, a team of researchers have now developed a new attack technique that can steal passwords and other data from your keyboard just by listening to your keystrokes.
As reported by BleepingComputer, researchers from several British universities have trained a deep learning model capable of stealing data from keyboard keystrokes recorded with a microphone.
Surprisingly, this new acoustic attack can already do this with an accuracy of 95% when using a microphone placed next to a keyboard or with 93% accuracy when keystrokes are recorded over Zoom or other video conferencing software.
Besides your passwords, this attack can also be used to steal messages or any other sensitive information typed on a victim’s keyboard on one of the best laptops.
Recording keystrokes
For this attack to work, an attacker first needs to record keystrokes from a target’s keyboard either using a nearby microphone or through a smartphone that has been infected with malware. At the same time, keystrokes can also be recorded through Zoom calls or other video chat apps.
In order to train the deep learning model to recognize keystrokes by sound, the researchers behind this project gathered data by pressing 36 keys on a MacBook Pro 25 times each and recording the sounds produced by each keypress using an iPhone 13 mini placed 6.5 inches away from the laptop.
From here, the researchers produced waveforms and spectrograms from these recordings to help visualize the differences in sound between each key that was pressed. The spectrogram images produced from this were then used to train the image classifier ‘CoAtNet’.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
When it came to deciphering keystrokes by the sounds they made, CoAtNet did so with 95% accuracy using a smartphone to record them, 93% accuracy over Zoom and a lower but still very usable 91.7% accuracy over Skype.
How to protect your passwords from this attack and others
According to the paper (PDF) published by the researchers, using a different typing style or randomized passwords can help protect you from acoustic side-channel attacks. However, they also suggested having white noise or even software-based keystroke audio filters playing in the background while typing on your keyboard.
It doesn’t matter whether you’re using one of the best mechanical keyboards or even a cheaper membrane keyboard, as the deep learning model is still able to steal data based on your keystrokes. Using a silent keyboard or adding sound dampeners to your mechanical keyboard won’t help either.
If you’re worried about hackers or other third parties stealing your passwords from the sound your keystrokes make, you may want to consider using one of the best password managers to store and autofill your passwords. However, even then an acoustic attack could be used to figure out your master password, which puts all of your other passwords at risk.
In a statement sent over to Tom's Guide, a Zoom spokesperson provided further insight on how users of its video conferencing software can protect themselves from acoustic attacks, saying:
“Zoom takes the privacy and security of our users seriously. In addition to the mitigation techniques suggested by the researchers, Zoom users can also configure our background noise suppression feature to a higher setting, mute their microphone by default when joining a meeting, and mute their microphone when typing during a meeting to help keep their information more secure.”
Now that we’ve seen researchers use AI to develop new acoustic attacks, hackers will likely follow suit. Fortunately though, Microsoft, Apple and other computer makers are aware of these kinds of attacks and will no doubt work to add mitigations against them to their respective operating systems and devices.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.