The Silent Risks of Sound
It never fails to amaze me the length hackers will go to obtain User credentials and passwords. But this week I came across something new (to me anyway) on the Naked Security by Sophos podcast.
What is it I hear you ask?
Well, let’s just say it relates to the sound of keyboards clicking.
Unveiling Cybersecurity Threats in Virtual Meetings
Whilst remote work and virtual meetings have become the norm, cybersecurity concerns have also evolved beyond the conventional boundaries of data breaches and hacking attempts. An intriguing research paper discussed in the Naked Security podcast, which prompted this blog post, delves into an unexplored aspect of cybersecurity risks associated with virtual meetings and the actions of sound-sniffing password phishers. The question posed is not about what is audibly said during these meetings, but rather what can be deciphered from the subtle sounds of keystrokes. This investigation opens a new door to potential vulnerabilities that individuals and organisations need to be aware of and take precautions against.
The Art of Eavesdropping Through Keyboards
Imagine sitting in a virtual meeting with colleagues, engrossed in your laptop while typing away diligently. You might think that your muted presence is inconspicuous, but according to the research discussed in the podcast, even the sounds of your keystrokes can be revealing. The study specifically focused on MacBook Pro keyboards, unveiling that the auditory signatures of keystrokes can be used to deduce what’s being typed. And if a sound-sniffing password phisher can discover what is being typed whilst eavesdropping on a User entering password details, you are exposing your systems to a breach.
The Auditory Fingerprint of Keyboards
The researchers meticulously examined the sounds produced by various keys on a 2021 MacBook Pro. Surprisingly, they discovered that despite the array of keys, all MacBook keyboards of the same model produce remarkably similar sounds. This insight implies that a sound signature collected from one MacBook could potentially be used to interpret keystrokes on other MacBooks of the same model range.
The Role of Touch-Typing in Cybersecurity
The researchers also touched upon the significance of touch-typing in this context. Touch-typists, those who type without looking at the keyboard, were found to have a more uniform typing style. This consistency in keystrokes makes it notably challenging to differentiate between individual key presses. Additionally, touch-typing tends to be quieter, potentially minimising the distinctive sounds that could otherwise be exploited.
The Shift Key Conundrum
The research paper highlights an interesting nuance related to the Shift key. Because using the Shift key involves pressing it, then pressing another key, and releasing them in reverse order, this overlapping of keystrokes can muddle the sound data. This overlapping feature could potentially render certain keystrokes less distinguishable, emphasising the intricate nature of this form of auditory eavesdropping.
Practical Steps to Mitigate the Risk
Fortunately, the research paper also proposes several practical measures to counteract this unusual form of cybersecurity threat.
Embrace Touch-Typing
Becoming a proficient touch-typist not only enhances your typing speed but also adds an extra layer of security by making your keystrokes more uniform and difficult to differentiate.
Avoid Typing Sensitive Information
During virtual meetings, it’s wise to abstain from typing confidential information, including passwords. This reduces the risk of potential eavesdropping attempts.
Utilise 2FA
Two-factor authentication (2FA) provides an additional security layer by requiring a second form of verification, which cannot be gleaned from the sounds of your keystrokes.
Mute Your Microphone
When participating in virtual meetings with just your side visible, muting your microphone when not speaking is not only courteous but also prevents unintended data leakage.
Summary
The research paper discussed in the podcast opens our eyes to an entirely new dimension of cybersecurity risks within virtual meetings. While the idea of deciphering keystrokes from the sound they produce may seem like something out of a spy movie, it’s a tangible concern that needs to be addressed. Implementing the recommended practices can help individuals and organisations safeguard against this subtle yet potentially harmful intrusion. As the realm of cybersecurity continues to evolve, it’s essential to stay vigilant and adapt to emerging threats, even those that sound as innocuous as the tapping of keys.
Thanks
Richard