In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
I think it was in the book Spycatcher [0] that I recall there was a story of how English intelligence bugged a foreign embassy with a microphone and was able to figure out what they were typing on a typewriter by analyzing the sound of the keystrokes. That was way back in the 1950's I think, so the idea has been around for a while. The book has a lot of interesting details about spy technology at the time. In addition to all the juicy intelligence stories it's also a fun read from a security engineering point of view. The British government tried to ban it which naturally triggered the Streisand effect and made it a best seller.
There is a paper from one of the guys who made RSA about that.
They can reconstitute private keys, by listening repeatedly to the sound the power supply of a laptop makes when encrypting/decrypting emails, from 5m away.
the good old days in the military where our main communications computers and such were in shielded areas to prevent leakage outside which could be picked up.
That reminds me—in elementary school, I used to figure out what someone was writing by listening to the sound of their pencil, sometimes by putting my head to the desk. It probably worked mainly because they were writing pretty slowly in large print, but I imagine you could come up with a software implementation as a useless gimmick if you had enough training data.
I’ve considered implementing this as a keyboard layout in Android, so you could put your phone on the desk and type by scratching a stylus or fingernail on the surface next to it.
Your office orders pizza every Tuesday at the same time, via a coworker's cell phone. You are working on a technology that has the potential to disrupt several leading industries that are in bed with the government. After much lobbying, it is decided one day that your call to Domino's is to be rerouted via your broadband processor to an operative that mirrors your order to the real Domino's, and hand delivers the pizza at the front desk.
On their way out, they place a small, embedded, self-destructable camera device that focuses on your fancy new plexiglass installment. Over the next few weeks, the device documents all keystrokes and conversations from the front desk, and finds a way to socially engineer a copy of your codebase. Next year, seemingly out of nowhere, another venture suddenly launches ahead of your launch schedule, with your exact business model. All because you wanted some plexiglass and didn't think it was worth the money to actively scan the entire perimeter for bugs daily.
If this sounds crazy and far-fetched to anyone, then it would behoove them to look into past CIA infiltration techniques and also to realize that this is exactly the kind of stuff the CIA exists to do.
I've seen a movie where a bad guy entered password and a good girl counted the number of characters: one-two-three-four-five. Then she noticed that his suit had "GREED" badge on it. Combining these two facts she succesfully hacked into his laptop and prevented some shit. Since then I started to always mix few backspaces into my passwords. Not that I'm really bad, but life is life.
The backspace key on most keyboards has a very distinct sound. Not to mention it's positioning means timing will be noticeably different as well. Might be better off mixing in a few meaningless modifier keys (press Ctrl, Alt or Caps Lock).
Unless the gibberish is the same every time, the repeated sound of your password will still be parsable from a long enough sound recording of your computer usage.
I think it is more accurate to say that the gibberish is unlikely to _always_ be the same.
I think one can tend to create similar gibberish over time. I've worked on a system where I needed to do a new signup every time I wanted to test a feature and I've run into issues where the gibberish I entered matched an account that I had previously created.
Yep! Always a bit of fun when someone goes to use my laptop for an end-of-sprint presentation and types a bunch of gibberish infront of all the stakeholders :D
No. The idea that you could discern the difference between keys based on their relative volume due to their distance and angle from the recording device is complete nonsense. OP is living a fantasy and taking HN along for the ride.
No. The idea that you could discern the difference between keys based on their relative volume due to their distance and angle from the recording device is complete nonsense. OP is living a fantasy and taking HN along for the rise.
> We demonstrate how an inactive or even a minimised web page, using JavaScript, is able to listen to and silently report the device motion and orientation data about a user who is working on a separate tab or a separate app on the device.
This is brilliant and well-explained.
On page 6 of the PDF, the authors include a breakdown of the leakages they found in each browser family. The two that were most significant to me is Chrome's "Active/Other" leak on iPhones and Safari's "Locked" leak. I believe this means that malicious Javascript (1) on Google Chrome on an iPhone on an inactive tab, and (2) on mobile Safari while the screen is locked, can access tilt and motion data at a level of detail sufficient to deduce what the user is typing.
Accelerometer data could be used too to figure out how long it took to move from one entry on a virtual keyboard to another reducing the search space considerably.
Bingo. It's not really Chrome at all. A better author would have pointed out that the iOS platform is flawed, its singular browser in any of its different wrappers is vulnerable in exactly the same way.
This attack and an annoyance that I see on Android from time to time could be easily mitigated if in Chrome if they would simply ship permissioning for access to hardware devices.
There is this annoying popup add that infects the ad networks of a few websites that first smashes the history of the tab and then vibrates your phone and has a page with a bunch of red warning text telling you that you have a virus, your phone is "damaged" and trying to get you to download some crappy virus scamware.
No way in hell a random website should be able to make your phone vibrate without your permission much less tell how its moving with the accelerometer.
I've google around a lot there is NO WAY to disable this :/
Chrome will soon require an SSL cert in order for web services to use the device orientation API, which is a step in the right direction, but ultimately doesn't help in prevention.
I reduce predictability - and people peeking - by passing over already selected nodes and deactivating the visual tracing of the graph. I can draw my code before someone several times without they being able to unlock my phone :)
There is a one-to-one correspondence between them: a length 9 combination is just a length 8 combination followed by the sole remaining node. The lock screen has 9 nodes.
That surely is an interesting finding, especially if it can be confirmed.
Null hypothesis: females in general are more trusting and [consider themselves more] trustworthy. As humans we tend to project our own morality on to others, thus expecting people to be less likely to try and attack their stuff and so being less desirous of strong protection?
We're using alternate definitions: I'm using "my null hypothesis", as in my zero-numbered hypothesis that I would then attempt to test for. You're using, presumably "the Null Hypothesis" as a specific hypothesis suggesting that two populations have no causal relationship [IIRC]. My null-ordered labelling just confused my hypothesis with a particular default used in some statisitical arenas AFAICT.
idanoeman's use of "null hypothesis" is far more standard than yours. And if you use such a phrase in a highly non-standard way, you can't be surprised that people think it means something other than what you meant...
I saw an ATM before that scrambled the number pad on it's touchscreen so the numbers were in a different position every time. Would that work to mitigate this attack?
There's an option to do this in many third party Android ROMs, which I personally take advantage of. I don't think it's really "terrible ux"; it hasn't been that hard to adjust to.
In fact, if the numbers on the lockscreen are not scrambled, a low-tech version of this is to look at where the most prominent smudges are on the screen to find the PIN number :)
I can't remember when I last used an ATM (maybe 5 years ago?) and haven't seen the one near work used much so checked usage stats. It's more common here than I thought (as are cheques) but it's not used much. http://www.paymentsnz.co.nz/articles/nz-payments-stats-a-yea...
As a university project, I did something very similar, only using a malicious app. The app would monitor the device state, and record gyro data as soon as the screen was on, but the device was locked. We didn't have the time to properly implement a decent classifier, but the data collection was surprisingly effective.
How about not letting javascript run when the phone is locked? Heck, on my phone I'd be fine with not letting it run when the browser tab isn't active.
Suspend tab by Piri (piro_or) is the one on my laptop at least.
In the description it also mentions other extensions, especially suspend-background-tabs looks like something I might be using on one of my/someone elses machine.
also, I'm realizing that I've told people "you don't need to quit apps in iOS, it takes care of memory itself" but quitting browsers sounds like it is a good idea now.
Nice hack. I've been using my phone for less and less over the years, out of security concerns, since it's my 2fa device and I sometimes check email with it. After the Broadcom wifi thing I even stopped carrying it around. I guess it's past time to buy a dedicated 2fa device.
At least there is 5%(Nexus and Pixel) that get patched. The baseband is wide open on 100% of cellphones with a SIM card in them, and it's never getting patched.
YubiKeys are supposed to be great. I don't have one myself — been mulling it over, but not sure if I need one since I have an authenticatior app on my phone. If anyone thinks I should though I'm all ears!
But isn't the point of 2FA that it's OK to have each of the factors individually be (relatively) insecure—passwords being about as insecure as imagineable for most users—as long as no-one is likely to have access to both of them? Thus, it's OK if someone can read your texts, as long as they don't also know your passwords.
Hackers have stolen large amounts of cryptocurrencies from individual targets because they used SMS 2FA. (If probably more money than I've ever had counts as large.) You might not be as juicy a target, but if you're reading HN I guess you're at least mildly interesting these days, this being the cyberpunk future.
I thought you just make the key board random every stroke and the human has to pick the right, next letter so it's not predictable with a known pattern.
edit: I like that "Obviously hackers wear hoodies..." hahaha, I like to wear a mask, and see as little as possible, while I mash on the keys hacking into the NSA.
edit: it's not funny though when you happen to see your server logs and you see various attempts to break in using wordpress-access attacks like forget the one xmlrc or something... I don't use Wordpress but man... gotta keep an eye on those logs. Also tracked one of the ips, lead to some site called BoltCloud, looks legit, with a login but... I don't know... not sure if you can bounce attacks from a server without that server's permission.
Sure, but you can't do that if you're a web page. This is about a malicious app or website listening to the accelerometer and gyro to determine what the user is typing on the keyboard into a separate app.
This is why I chose one that doubles back on itself in a non-obvious way. I've tested it by trying to teach people the password, it usually takes them quite a while to learn it, even when I do it really, really slowly and give them lots of tries
Last time I used this on Android, there were 9 points but I couldn't use any one more than once. You can double back in a very limited way, but the more complex patterns I wanted to use were impossible.
I'm sure there's more written on this, but most patterns I've seen are just way too short. And hug the outer edge, are in-order, etc.
There was a 2014 SIGGRAPH submission called "The Visual Microphone" [1]; it is also discussed in the 'research highlights'section of the Communications of the ACM [2].
You're still limited by your video receiver and limited knowledge of what's going on the background. Using commodity hardware and visible spectrum light this technology shouldn't yet be used for more than very simple tasks.
Even humans are very prone to "glass of juice" vs "gas the jews" type errors.
For example, the bar for Men's shopping password length is 3x-4x longer than for Women's, but in reality the value (in tiny font) is only ~8% greater (the others are ~4% and ~10%).
> They said they'd told all the major tech companies, like Google and Apple, about the risks but no-one has been able to come up with an answer so far.
I wonder if you could hold the phone flat in one hand and press the buttons with the other hand to defeat this. Or wobbling while entering it one-handed.
That app makes it a little harder for a stranger to read what's on your screen, it doesn't have anything to do with browser access to the accelerometer and other sensors.
Heh, I tend to tilt my device a particular way to avoid prying eyes when typing in a password so I assumed a direct connection but others probably don't behave the same way
I kind of can't wait till everything is biologically linked, I don't know if it's a good idea/cost effective. There's usually that scene in horror movies, removing eyeballs, removing hands/fingers etc... for biometric security.
Still the thought of someone snatching my wallet and swiping away at my cards. Where as if the card wasn't "active" unless my hand was the one holding it, I don't know how... finger print, pulse, heat, embedded RFID chip activates the card... I don't know. think DNA-linked money too, but someone could steal your hair... I don't know, I'm just not going to carry more than $20.00 on me in any form of money.
random thought too: when everyone has their own API and this replaces social media, why would that happen I don't know. If people had custom readers to pull in a person's data.
The solution to this - for PINs and passwords at least - is to scramble the keyboard layout. It's slow, but if you're typing in a 6-digit PIN it doesn't take that long.
Fingerprints are "something you have", but for multi-factor authentication you might also want to rely on "something you know". This news just indicates a problem of entering "something you know" into a device: it's definitely not a point in favour of fingerprint (they aren't simply alternatives)
In my university days, long before the days of tablets and smartphones, the computer labs were the usual place where people will congregate to do their assignments or basically kill time on the internet in between classes.
One day, my mates and I noticed how annoyingly loud some people type on their keyboards and out of sheer boredom, we decided we could come up with an algorithm to determine what a person was typing simply from recording the sound of the keystrokes from our vantage point. Taking that sound clip, we graphed it out and we proceeded to hash out each "stroke" based on how loud it was in relation to the distance of where we were from the keyboard + the angle of the keyboard.
Fun times ensued. ;)