Two researchers at Augusta University in Georgia, USA, demonstrated a novel way to steal people's passwords that would embarrass even James Bond.
Last week, researchers Alireza Taheritajar and Reza Rahaeimehr published a paper titled “Acoustic Side Channel Attack on Keyboards Based on Typing Patterns,” which is as strange as it gets.
According to research, there is a way to deduce a person's password (or any other word typed on a computer) simply by listening to them type.
Is it feasible?
The method is not as accurate as other side channel attacks as researchers suggested that the accuracy of this attack is around 43%. To achieve this, all the attackers would need is a relatively small sample of what the victim is typing (apparently just a few seconds), but they would need more than one recording.
Additionally, they would need an English dictionary. The mitigating circumstance in this case is that the recording does not have to be especially “clean.” It could have significant background noise or come from several different keyboards and still work.
In theory, a threat actor could place a smartphone, or similar device equipped with a microphone, in relative proximity to the victim and record them typing. From that recording, they could establish certain patterns, which could then be used to determine potential words. The English dictionary would help predict which words would make the most sense in the context of the sentence.
While it sounds ominous, there are quite a few moving parts that must align perfectly for the attack to take place.
On the one hand, the attacker must be very close to the victim, have a recording device nearby (apparently a smart speaker would be sufficient), or have malware installed that is capable of exploiting the computer's microphone. The attacker must then type their password, as well as many other words.
They cannot be professional typists or fast typists in general, as this disrupts predictions. Attackers can then analyze the recordings and still end up with only a 43% chance of success.
