Researchers at Cornell University programmed an artificial intelligence (AI) computer system to listen to the sounds of people typing the keys on a keyboard on a phone call and a Zoom call. For the study, they used a MacBook Pro and pressed all of the letters and numbers 25 times with different fingers and varying amounts of pressure.
The AI system quickly started to distinguish between the individual sounds made by typing each key. Soon afterward, it was able to identify which key was being pressed based on its sound alone with 95 percent accuracy in phone calls and 93 percent accuracy in Zoom.
Although it is not clear precisely which acoustic clues the system used, the study’s first author, Joshua Harrison of Durham University, suggested that the distance of the keys from the edge of the keyword may have been one strong clue, noting: “This positional information could be the main driver behind the different sounds.”
Now, the researchers are warning people about this new avenue of cyberattack. The study's co-author, Dr. Ehsan Toreini, believes it is only going to get worse, saying: “I can only see the accuracy of such models, and such attacks, increasing.”
Toreini added that as smart devices become even more common in homes, public debate on governing AI is urgently needed.
The ubiquity of Zoom and other videoconferencing programs and prevalence of built-in microphones in smart devices has prompted cybercriminals to look for new methods of breaching accounts based on sound. While many people hide their screen and keyboard when they are typing in a password on a Zoom call, they rarely take steps to conceal the sound of their keyboard.
The researchers said that people need to be vigilant, particularly when they are using a laptop in a public setting as people could be eavesdropping and using these methods to crack their passwords. Moreover, it is important to be aware of this possibility when typing in passwords during a Zoom call or a while on a smartphone call.
Using a quiet keyboard won’t help, but there are a few ways people can reduce their risk of being victimized by this hacking method. First, they can opt for a biometric password wherever possible. In addition, if a system or website they are using offers two-step verification, this should be turned on.
Finally, using the Shift key to set your password with a combination of upper and lower-case letters, along with numbers and symbols, can make it more difficult for passwords to be correctly identified as it can be more challenging for these AI systems to detect when someone has let go of the Shift key, particularly if they do so with a soft touch. A password manager that enters your password without the need to type may also help.
Meanwhile, University of Warwick Professor Feng Hao said that typing sensitive messages and passwords using a keyword during a Zoom call is never a good idea because body movements can also give away which keys are being typed.
He said: “Besides the sound, the visual images about the subtle movements of the shoulder and wrist can also reveal side-channel information about the keys being typed on the keyboard even though the keyboard is not visible from the camera.”
Sources for this article include: