AI tool can ‘hear’ your password with alarming accuracy

A new hacking tool has been created that can crack passwords simply by using the device’s own microphone to listen out for the keys being hit.

A group of scientists – including Joshua Harrison from Durham University – developed an AI-driven tool that recognises the sound profile of different keys as they are being pressed. Armed with this knowledge, the program can ‘listen’ to a password being typed out and then crack it based on sound alone.

In tests involving an Apple MacBook Pro, the hacking tool identified passwords with a 95% accuracy rate. Perhaps more alarming still was that the program could also be used remotely over Zoom and Skype, reporting success rates here of 93% and 92% respectively. Passwords could be hacked not just by using the device’s own built-in microphone, but also via a mobile device placed 17cm away.

Interestingly, the software doesn’t just factor in the sound of a specific key being pressed, but also uses the intensity and time of each keystroke to build a better, more accurate picture of the user.

One reassuring aspect of the report was that the tool wasn’t able to ascertain keystrokes from any and all keyboards (at least not yet). Instead, it needed training on each separate keyboard before it was able to crack passwords with any level of accuracy.

For anyone worried about this new type of attack, the scientists behind the technology had a few tips. The first is also good password practice anyway: use randomised passwords that feature multiple cases. The researchers noted: “While multiple methods succeeded in recognizing a press of the shift key, no paper in the surveyed literature succeeded in recognizing the ‘release peak’ of the shift key amidst the sounds of other keys.” This effectively doubles the search space of potential characters following a press of the shift key.

Alternatively, users can change the way they type when entering passwords, to fool the program’s use of intensity and time when determining the particular keys being pressed.

Better still would be to use a password generator and manager, as this wouldn’t require them to be typed out at all, or biometrics to avoid porous alphanumeric passwords altogether.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

AI tool can ‘hear’ your password with alarming accuracy

Categories

Horsham Office: 01293 871971 | London Office: 0203 763 3919 | IT Support: 01293 876000