Hackers can work out your password by listening to your keystrokes as you type

20 Aug 2019

Image: © peshkov/Stock.adobe.com

Research from Southern Methodist University has revealed a new way to hack a person’s password.

At this stage, most internet users are likely savvy enough to dodge suspicious spear-phishing emails and know not to use the same password for every account. But new research from the Darwin Deason Institute for Cybersecurity at Southern Methodist University (SMU) in Texas suggests that hackers may be able to access your information in a novel way – by using a nearby smartphone to intercept the sound of your keystrokes.

The SMU researchers found, as explained in a paper published in the June edition of Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, that a smartphone can successfully pick up the sound waves produced when people type, which can then be processed by adept threat actors to discern what a person is typing.

The team was able to decode what was being typed by listening to keystrokes using a common smartphone, even in a noisy conference room amid the sound of other people typing and having conversations.

“We were able to pick up what people are typing at a 41pc word accuracy rate. And we can extend that out above 41pc if we look at, say, the top 10 words of what we think it might be,” said Eric C Larson, one of the two lead authors and an assistant professor in SMU Lyle School’s Department of Computer Science.

Always-on sensors

Larson explained that there are many kinds of sensors in smartphones that allow the phone to determine its orientation and detect when it is sitting still on a table or being carried in someone’s pocket. While some of these sensors require permission to switch on, many of them are always turned on by default.

The research team leveraged these always-on sensors and developed a new app that processed the sensor output to predict the key that was pressed by the typist.

With this form of hacking it is difficult, if not impossible, to know if it’s happening to you, but the team noted that there are a few caveats.

“An attacker would need to know the material type of the table,” Larson said, noting that someone typing on a wood table sounds different to someone typing on a metal tabletop.

“An attacker would also need a way of knowing there are multiple phones on the table and how to sample from them.”

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com