A new hacking tool has been created that can crack passwords simply by using the device’s own microphone to listen out for the keys being hit.
A group of scientists – including Joshua Harrison from Durham University – developed an AI-driven tool that recognises the sound profile of different keys as they are being pressed. Armed with this knowledge, the program can ‘listen’ to a password being typed out and then crack it based on sound alone.
In tests involving an Apple MacBook Pro, the hacking tool identified passwords with a 95% accuracy rate. Perhaps more alarming still was that the program could also be used remotely over Zoom and Skype, reporting success rates here of 93% and 92% respectively. Passwords could be hacked not just by using the device’s own built-in microphone, but also via a mobile device placed 17cm away.
Interestingly, the software doesn’t just factor in the sound of a specific key being pressed, but also uses the intensity and time of each keystroke to build a better, more accurate picture of the user.
One reassuring aspect of the report was that the tool wasn’t able to ascertain keystrokes from any and all keyboards (at least not yet). Instead, it needed training on each separate keyboard before it was able to crack passwords with any level of accuracy.
For anyone worried about this new type of attack, the scientists behind the technology had a few tips. The first is also good password practice anyway: use randomised passwords that feature multiple cases. The researchers noted: “While multiple methods succeeded in recognizing a press of the shift key, no paper in the surveyed literature succeeded in recognizing the ‘release peak’ of the shift key amidst the sounds of other keys.” This effectively doubles the search space of potential characters following a press of the shift key.
Alternatively, users can change the way they type when entering passwords, to fool the program’s use of intensity and time when determining the particular keys being pressed.
Better still would be to use a password generator and manager, as this wouldn’t require them to be typed out at all, or biometrics to avoid porous alphanumeric passwords altogether.