Listening for Keystrokes

Hands on a keyboard

“And there’s one more thing . . . “

Hearing Steve Jobs say this at the end of his Apple announcements was always intriguing and exciting – even for this PC user. I knew that if Apple could do it, it was possible for the rest of us. But I have learned over the years that there is a dark side to this phrase. I see it when I start delving into security.

Staying safe and secure on the Internet takes diligence and focus, and even then you could be compromised. This was confirmed again by research done in 2023 by Durham University, the University of Surrey, and Royal Holloway University of London.

Researchers can identify keystrokes by recording the sounds made by your keyboard. Yes, even your “quiet keyboards” and even in virtual environments like Zoom. Improvements in audio quality and the rise of machine learning have both contributed to this possibility.

All keyboards make sounds, and each key has a specific sound. These sounds are the same within a laptop model. If you had ten 2021 MacBook Pros, the sound for the letter “a” would be the same (or very similar) across all. The researchers placed an iPhone close to the laptop for recording purposes. They then pressed each key 25 times, trying to vary the pressure used and switching fingers. These audio files were converted to images and then classified using machine learning.

Using this method, they could identify the correct characters 95% of the time. When using a Zoom recording, 93% of the time. The researchers hypothesized that keyboards are similar enough across models that one would only need to train the machine learning model on a single laptop, and that would successfully work on other laptops of the same model.

Most of us are careful with our passwords. We don’t use duplicate passwords across websites, we don’t write them down, and we are careful that no one is looking when typing. What to do about these keyboard sounds that can be converted into your passwords? Password managers could be one option, but there still could be an issue with typing in the master password. Passkeys seem to be the future. These use biometrics like your fingerprint or face recognition, a PIN, or a pattern for login. Once you are logged in, switching to another device should keep you logged in. Google has a good overview of passkey, which I recommend as an introduction.

Security will always be the bane of our technology existence, but I confess that I cannot wait to be rid of passwords and move on to “the next thing!”