Home of Lisa's Top Ten, the daily email that brings you the world.
The first task of the day

Sign Up for Lisa's Top Ten


AI Poses Significant Threat to Online Security with Ability to Capture Passwords and Keystrokes

AI was able to listen sound of keyboard strokes and recreate typed text with 93 percent accuracy.

More than two-thirds of Americans are worried about the negative effects of artificial intelligence (AI), while 61 percent believe it could “threaten civilization,” according to a recent Reuters/Ipsos poll.

Whether or not AI will actually threaten the physical wellbeing of humans remains to be seen, but it’s already posing a number of other significant threats.

A recent study carried out by three cyber experts based in the UK demonstrates that AI poses a direct threat to our online security. “With recent developments in deep learning,” begins the paper, “the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever.”

Deep learning, inspired by the human brain, is an AI-based method that teaches computers how to process data. Side-channel attacks, meanwhile, work by exploiting information that is inadvertently leaked by a user or a user’s system.

The researchers found that by exploiting certain ‘leaks,’ AI-driven attacks stole passwords with up to a 95 percent accuracy. Specifically, as the cyber experts note, when “trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model.” "When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium,” they added. Over Skype, the model had a 91.7 percent accuracy. In other words, AI succeeded by listening in on what users typed on their keyboards.

The researchers trained this specific AI model on the audio recordings of what people were typing; the AI, combined withthe method of deep learning, then learned to identify the different sounds made by each key.

Dr. Maryam Mehrnezhad, a senior lecturer in information security at Royal Holloway University of London and one of the authors of the paper, told JustTheNews that “side-channel”attacks, which are becoming more prevalent, “happen when the attacker uses extra (side channel) information (e.g., sound, processing time, motion sensors) to obtain a secret piece of information such as a PIN or password.”

One of the more worrying aspects, she added, is “how feasible and accurate acoustic side-channel attacks can be without physical access to the victim's laptop and via recording the keystroke sounds from a distance or even during a Zoom call.”

Although “side-channel attacks have been around for many years.,” continued Dr. Mehrnezhad, “with more computational power, these attacks can be scaled up and performed in real time by potential bad actors such as hackers.” In her previous work published in the International Journal of Information Security, the Mehrnezhad showed how bad actors can use motion sensors on mobile phones to identify user PINs and touch actions.

What, if anything, can a user do to keep him or herself safe?

“We provide a range of mitigation methods in the paper,” saidDr. Mehmezhad, “such as being vigilant about your surroundings and video/voice connections when dealing with sensitive information such as PINs and passwords. It is always good to follow general security and privacy advice such as choosing strong passwords and not opening random links.”

For example, in the paper, the authors show that when touch typing was used, keystroke recognition dropped to 40 percentfrom 64 percent. As opposed to regular typing, where a user uses two to four fingers, touch typing, or ‘ten-finger typing,’ involves all ten. Another defense mechanism mentioned includes the use of far stronger passwords. Thirty percent of internet users in the US have experienced a data breach due to weak passwords. More than 4 out of every 5 Americans (83 percent) are using weak passwords.

Ultimately, added Dr. Mehmezhad, “I don't think the pressure should be on the end user. The cybersecurity and privacy community -- academia, industry, policymaking, standardization, etcetera -- need to come up with more secure and privacy-preserving solutions, legislation, and enforcement and enable citizens to use modern technologies in order to improve the quality of their lives without any risk and fear.”

Considering the speed at which AI is evolving, time is very much of the essence.

Related Story: Senators Call for AI Regulation as Concerns for National Security Grow

Read More

Related Posts