AI could accurately identify passwords by listening to keystrokes
A password typed into your phone or on a zoom call could be interpreted with up to 95 per cent accuracy using an AI-based model, according to research by cyber security experts at Surrey.
The research, led by Dr Ehsan Toreini, a lecturer in software security in the School of Computer Science and Electronic Engineering, in collaboration with University of Durham and Royal Holloway, was published at the IEEE European Symposium on Security and Privacy Workshops in July 2023.
The study demonstrated that cyber criminals could use AI to discover which keys are being pressed on a device with a built-in microphone – in other words most laptops and smartphones – just from the slightly differing sounds of the keystrokes.
While researchers have previously succeeded in demonstrating this concept with lower accuracy using other keyboards (including the historic Enigma machine), Dr Toreini’s research is based on the latest developments in deep learning, and is highly efficient – accurately predicting 95 per cent of letters typed on smartphones and 93 per cent on zoom calls.
He explains: “Zoom uses noise cancellation and compression algorithms in order to reduce environmental noise but, even with these measures, we were still able to achieve a high level of accuracy.
“Our research is designed to raise awareness of this type of attack among regular users. Acoustic side channel attacks like these will become increasingly accurate and we all need to be vigilant. As our paper reports, users can help to mitigate this risk by creating more complicated passwords using shift keys, and by using biometric passwords or activating two-step verification systems.”
Dr Toreini and his colleagues are now looking to developing this area of research further, with one focus being a more comprehensive assessment of video conferencing platforms.
The latest paper, A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards, has generated widespread media coverage including a Guardian article. Previous research, featured by the BBC, focused on how tilting your mobile could enable hackers to work out your pin numbers and passwords.