Website Can Track Mechanical Keyboard Typing Just By Listening

Need another reason to skip the upgrade to a clackety mechanical keyboard, besides a little sympathy for your co-workers who will undoubtedly suffer from your furious typing? It turns out that all that’s needed to eavesdrop on what’s being typed on a loud keyboard is a microphone and some clever software.

Clever hackers have come up with countless ways to compromise the security of a computer’s keyboard. Some are as simple as adding a keystroke capturing dongle to a keyboard’s USB cable, while others are far more complex and nefarious, including using of lasers to detect vibrations on nearby surfaces as someone is typing up a storm. Some keyloggers even go as far as detecting fluctuations in power lines, which are created each time a key is pressed. There’s even more reasons to be paranoid if your keyboard of choice connects wirelessly to your computer, as many models are riddled with easily exploitable security holes.

But it turns out there’s a far simpler solution to eavesdropping on what someone is typing that skips wireless radio signals and other electronic shenanigans. As anyone who’s unfortunately found themselves working in a two-mile radius of a mechanical keyboard fan knows, the sound of key presses on some boards can be unpleasantly deafening. It’s bad for those without noise-cancelling headphones, but great for hackers who can get their hands on a simple device called a microphone.

Georgi Gerganov has been dabbling with using keyboard clacks to determine what’s being typed (even on keyboards that are unplugged and receiving no power) for a while now, but their past approaches have relied on computer models that required training first. The keyboard user needed to type a predetermined series of known words and phrases that Gerganov’s software would use as a starting point to decipher what was being typed when the content was unknown. It also required the position of the microphone to remain the same between training and deciphering, limiting the practical use of the exploit.

Gerganov is now testing Keytap3, version three of their exploit, which does away with the need for training and other limitations altogether. Using it simply requires a passable microphone, like the one built into smartphones and laptops, and an application that can apparently even be embedded and run right in a webpage. As Gerganov explains, it “works by clustering the detected keystrokes based on their sound similarity and then using statistical information about the frequency of the letter n-grams in the supposed language of the text (for example, English).” Some letter combinations in the English language are used more often than others, and with that knowledge, and how quickly many of us can type commonly used letter groups thanks to muscle memory, some educated guesses can be made.

Head over to Gerganov’s website to try it out yourself, but you’ll need a loud mechanical keyboard and a firm grasp of the English language for the best results—and by best results, we don’t mean that this exploit is 100% flawless in its ability to guess what’s being typed. But it can be surprisingly—and concerningly—accurate at times. It can’t perfectly extract a lengthy email, word for word, just by listening. But amongst the words it does successfully extract could be user names, passwords, and even website URLs you’d rather not share with others.

So maybe mushy keyboards aren’t so bad after all?