Comment

Comment on New acoustic attack steals data from keystrokes with 95% accuracy

I’ll believe it when it actually happens. Until then you can’t convince me that an algorithm can tell what letter was typed from hearing the action through a microphone.

This sounds like absolute bullshit to me.

source

Sort:hotnew top

Obsession@lemmy.world ⁨1⁩ ⁨year⁩ ago
That’s pretty much what the article says. The model needs to be trained on the target keyboard first, so you won’t just have people hacking you through a random zoom call

source
- bdonvr@thelemmy.club ⁨1⁩ ⁨year⁩ ago
  And if you have the access to train such a model, slipping a keylogger onto the machine would be so much easier
  
  source
  - jumperalex@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Hmmm not totally. A bad actor could record the keyboard and then figure out a way to get it installed. Either through a logistics attack (not everyone maintains a secure supply chain), or an insider threat installing it. Everyone’s trained not to allow thumb drives and the like. But a 100% completely unaltered bog standard keyboard brought into a building is probably easier, and for sure less suspicious if you get caught.
    
    Sure you might say, “but if you have an insider you’ve already lost” to which I say, your insider is at risk if they do certain things. But once this keyboard is installed, their own detection risk is less.
    
    Now the question is, how far away can the mic be? Because that’s gonna be suspicious AF getting that installed. BUT!!! this is still a great way to break the air gap.
    
    source
    ItsMeSpez@lemmy.world ⁨1⁩ ⁨year⁩ ago
    
    A bad actor could record the keyboard and then figure out a way to get it installed
    
    The room is important to the training of the model as well. So even if you know the make and model of the keyboard, the exact acoustic environment it is in will still require training data.
    
    source
    -> View More Comments
LouNeko@lemmy.world ⁨1⁩ ⁨year⁩ ago
I think you might have misunderstood the article. In one case they used the sound input from a Zoom meeting and as a reference they used the chat messenges from set zoom meetings. No keyloggers required.

I haven’t read the paper yet, but the article doesn’t go into detail about possible flaws. Like, how would the software differentiate between double assigned symbols on the numpad and the main rows? Does it use spell check to predict words that are not 100% conclusive? What about external keyboards? What if the distance to the microphone changes? What about backspace? People make a lot of mistakes while typing. How would the program determine if something was deleted if it doesn’t show up in the text? Etc.

I have no doubt that under lab conditions a recognition rate of 93% is realistic, but I doubt that this is applicable in the real world. Noboby sits in a video conference quietly typing away at their keyboard. A single uttered word can throw of your whole training data. Most importantly, all video or audio call apps or programs have an activation threshold for the microphone enabled by default to save on bandwith. Typing is mostly below that threshold. Any other means of collecting the data will require you to have access to the device to a point where installing a keylogger is easier.

source
- imaradio@lemmy.ca ⁨1⁩ ⁨year⁩ ago
  It sounds like it would have to be a very targeted attack. Like if the CIA is after you this might be a concern.
  
  source
  - LouNeko@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Yes, exactly.
    
    source
    imaradio@lemmy.ca ⁨1⁩ ⁨year⁩ ago
    Actually I just saw this: Zoom terms of use updated to allow AI training on user-generated data, no opt-out
    
    Maybe if zoom is systematically collecting data on all users they would be able to build a reasonable model. Then it could be leaked or shared.
    
    What do you think?
    
    source
Ironfist@sh.itjust.works ⁨1⁩ ⁨year⁩ ago
I’m skeptical too, it sounds very hard to do with the sound alone, but lets assume that part works.

The keylogger part could be done with a malicious website that activates the microphone and asks the user to input whatever. The site would know what you typed and how it sounded. Then that information could be used against you even when you are not in the malicious website.

source
- Imgonnatrythis@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Hard to do, but with a very standard keyboard like a Mac keyboard the resonance signatures should be slightly different based on location on the board, take into account pattern recognition, relative pause length between keystrokes, and perhaps some forced training ( ie. Get them to type know words like a name and address to feed algorithm) I think it’s potentially possible.
  
  source
HankMardukas@lemmy.world ⁨1⁩ ⁨year⁩ ago
It’s bad now, but where we’re at with AI… It’s like complaining that MS paint in 1992 couldn’t make photorealistic fake images. This will only get better, never worse. Improvements will come quickly.

source
egeres@lemmy.world ⁨1⁩ ⁨year⁩ ago
Is gonna sound crazy, but I think you can skip the keylogger step!

You could make a “keystroke-sound-language-model” (so like a language model that combines various modalities, e.g, flamingo), then train that with self-supervised learning to match “audio” with “text”, and have a system where:

You listen to your target for a day or so, let’s say, 1000 words typed in 🤷🏻‍♂️

Then the model could do something akin to anchor tokens in language-to-language translation, except in this case it would be more like fixing on easy words such as “the” to give away part of the sound-to-key map. Then keep running this mapping more parts of the keyboard

Eventually you try to extract passwords from your recordings and maybe bingo

I think it’s very narrow to think that, just because this research case requires a keylogger, these systems couldn’t evolve other time to combine other techniques
source
ItsMeSpez@lemmy.world ⁨1⁩ ⁨year⁩ ago
Sounds like a fantastic way to target a streamer, but it’s otherwise very limited.

source