An introduction to acoustic keyloggers
Smoking Keyboards
Another acoustic keylogger, kbd-audio
[10] by Georgi Gerganov, offers a collection of tools for capturing and analyzing acoustic audio.
You can install kbd-audio
with ease as follows on Ubuntu Linux 22.04:
$ apt install libsdl2-dev -y
This pulls down the packages shown in Listing 10, thankfully with a small disk footprint of 54.2MB.
Listing 10
Installed Packages for kbd-audio
libasound2-dev libblkid-dev libdbus-1-dev libdecor-0-0 libdecor-0-dev libdecor-0-plugin-1-cairo libdrm-dev libegl-dev libegl1-mesa-dev libffi-dev libgbm-dev libgl-dev libgles-dev libgles1 libglib2.0-dev libglib2.0-dev-bin libglu1-mesa-dev libglvnd-core-dev libglvnd-dev libglx-dev libibus-1.0-dev libice-dev libmount-dev libopengl-dev libpciaccess-dev libpcre16-3 libpcre2-16-0 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libpthread-stubs0-dev libpulse-dev libsdl2-2.0-0 libsdl2-dev libselinux1-dev libsepol-dev libsm-dev libsndio-dev libsndio7.0 libudev-dev libwayland-bin libwayland-dev libx11-dev libxau-dev libxcb1-dev libxcursor-dev libxdmcp-dev libxext-dev libxfixes-dev libxi-dev libxinerama-dev libxkbcommon-dev libxrandr-dev libxrender-dev libxss-dev libxt-dev libxv-dev libxxf86vm-dev pkg-config uuid-dev x11proto-dev xorg-sgml-doctools xtrans-dev
During my installation of kbd-audio
, I used the commands in Listing 11, which differ slightly from the documentation because I needed additional packages. Listing 11 resulted in lengthy output which completed successfully, as seen here:
-- Configuring done -- Generating done -- Build files have been written to: /root/kbd-audio/build
Listing 11
Additional Installation Steps
$ git clone https://github.com/ggerganov/kbd-audio $ cd kbd-audio $ git submodule update --init $ mkdir build && cd build $ apt install cmake -y $ cmake .. # leave the dots in place
Finally, I ran the make
command to compile the configured build files as shown in Listing 12. Because I cloned the repository under the root user's home directory, it was important that the compiled commands were executed under the repo's build
directory (in my case, /root/kbd-audio/build
).
Listing 12
Running make
$ make [ 2%] Building CXX object CMakeFiles/Core.dir/common.cpp.o [ 4%] Building CXX object CMakeFiles/Core.dir/audio-logger.cpp.o [ 6%] Linking CXX static library libCore.a [ 6%] Built target Core [ 8%] Building CXX object CMakeFiles/Gui.dir/common-gui.cpp.o [ 10%] Building CXX object CMakeFiles/Gui.dir/imgui/imgui.cpp.o [...] [100%] Linking CXX executable compress-n-grams [100%] Built target compress-n-grams
To begin surveilling ambient noise in the room (turn up your microphone to maximum volume for the best results), use:
$ ./record-full output.kbd
Figure 4 shows an excerpt of the recording output.
To play back the keystrokes, run the following command in another terminal, again in the same directory:
$ ./play-full output.kbd
Figure 5 shows what kbd-audio
recorded. When I played back the audio from my recording, I could hear my erratic typing noises with external ambient sounds cleverly faded out.
The kbd-audio
GitHub repo offers advice on how to get graphical output from its acoustic keylogging activities. There is also an easy-to-use online demo [11] for kbd-audio
's keytap
tool. Using this demo, I entered a few lines of text and hit the Predict
button, and a graphical representation appeared for some of the typed characters as shown in Figure 6. The output in Figure 7 shows how keytap
learns from the sounds it receives. Finally, a YouTube video [12] on keytap
provides additional information.
As mentioned earlier, depressing a key on a keyboard and it springing back is how sounds are analyzed. Figure 8 shows kbd-audio
's representation of what that looks like in a sound file.
Two's a Crowd
You'll find two other evolutions of keytap
in the kbd-audio
repo. The second evolution, keytap2
, does not require training data. (I'm sure you can see the significant benefits of this iteration of the tool.) Instead of using training data, keytap2
references statistical information in relation to the n-gram frequencies involved. An n-gram is a series of adjacent letters [13]. For a treatise on how keytap2
works, see [14].
You can test out keytap2
in Gerganov's Capture The Flag (CTF) competition [15], where successful users enter a Hall of Fame. A keytap2
online demo [16] offers helpful instructions to get you up and running after clicking the Init button.
Three and Magic Numbers
The final version in the kbd-audio
repo is keytap3
, which improves on the algorithm and provides better n-gram statistics. In addition, keytap3
no longer requires manual intervention during text recovery – it is fully automated.
To see how keytap3
works, you can watch a 90-second YouTube video [17]. If you're not concerned about acoustic keylogging after watching this video, then you are clearly less concerned with cybersecurity than I am.
You can also try out keytap3
using an online GUI [18]. To get started with the demo, press the Init button and then provide your browser with the correct permissions when prompted.
Finally, an online test [19] lets you check your keyboard's security. You type 100 characters and then press Init to get your results (Figure 9). You can also play back your recording over your speakers if desired. In testing my keyboard, I found the results worrying but not fully accurate. I suspect using old hardware is a blessing in this case.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)