Is your Microphone stealing your Password?
A recent collaboration between British and American universities has spotlighted an alarming development in the field of cyber security. Researchers have successfully trained a deep learning AI model to record and identify keyboard keystrokes with a startling accuracy of 95% through a microphone. Even when tested in the real-world scenario of a Zoom meeting, the model's accuracy remained dangerously high at 93% of interpreting keystrokes.
The rise of this form of acoustic attack could prove disastrous for data security within video meetings, posing threats that could include; passwords, private conversations, and sensitive personal information being leaked.
How Does the Microphone Stealing Attack Work?
The attack commences by recording keyboard keystrokes through a nearby microphone, this includes any microphone that could be built into your smartphone or computer. This could be accessed through malware, however, more dangerously, attackers could use a simple video call such as a Teams or Zoom call to make correlations between messages typed by the target and their corresponding keystrokes, giving attackers the data they need to train their prediction algorithm.
The research team involved in developing this algorithm used a modern MacBook Pro and an iPhone 13 mini in their experiments. They gathered training data by pressing each of the 36 keys on the keyboard 25 times, recording the sounds produced. They then used the recordings to train 'CoAtNet,' an “image classifier” that achieved 95% accuracy from smartphone recordings and 93% accuracy from audio captured through Zoom meetings.
Mitigating the Risks of Microphone Attacks
Given the looming risk that this poses and the fact that you can not protect against this type of audio attack through cyber security tools on your own devices, adopting precautionary measures becomes paramount to ensure that your data stays secure.
Contrary to popular belief, the solution is not a quieter keyboard. The research indicates that adding sound dampeners or switching to membrane-based keyboards will likely offer little protection against the algorithm's accuracy.
Here are some measures that could mitigate the risks:
1. Altering Typing Styles or Using Randomised Passwords
One of the most immediate steps one could take is to alter typing styles or use a random sequence of characters for passwords. Interestingly, it was noted that whilst it could detect a press, the algorithm struggled to detect when the Shift key was lifted. As such, whilst it could still detect the press of other keys and when the shift key was pressed, if you used a combination of multiple upper and lower case keys it could offer some minor defence. It is important to note that it could still detect the other keys in context with 93%-95% accuracy.
2. Employing Biometric Authentication
Using biometric data, such as fingerprints or facial recognition, circumvents the need for manual password input, thus preventing these types of acoustic eavesdropping attempts.
3. Utilising Password Managers
Password managers allow you to store and manage your passwords securely, often featuring auto-fill capabilities and biometric authentication that would bypass the need for manual input.
4. Mute When You Type
On video calls, users can raise their background noise suppression settings to help prevent the accuracy of these types of attacks. However, muting your microphones when typing will provide no acoustic data to be able to interpret.
5. Monitor Device Permissions
Be vigilant about the apps that have microphone access on your devices, be aware that whilst you may not actively be on a call, other applications which have access to your microphone may have the ability to listen and record your keystrokes. Limit permissions to only those apps that absolutely require it or have only the applications active that you require at any given time.
6. Music/White Noise
Another interesting approach could be to use white noise, music or software-based keystroke audio filters to drown out or mask the sound of typing.
Staying Educated
While the researchers maintain that this model was developed purely for research purposes, the underlying technology may soon be recreated by malicious parties interested in the potential data capture abilities it poses. Therefore, being proactive in understanding and implementing defensive measures is crucial for your data protection.
This research serves as a potent reminder of the continually evolving threats that businesses face every day, necessitating a robust, adaptive and comprehensive approach to data security. With AI technologies becoming increasingly sophisticated, it's even more important to stay one step ahead in the cybersecurity game.