Smoking Keyboards

Another acoustic keylogger, kbd-audio [10] by Georgi Gerganov, offers a collection of tools for capturing and analyzing acoustic audio.

You can install kbd-audio with ease as follows on Ubuntu Linux 22.04:

$ apt install libsdl2-dev -y

This pulls down the packages shown in Listing 10, thankfully with a small disk footprint of 54.2MB.

libasound2-dev libblkid-dev libdbus-1-dev libdecor-0-0 libdecor-0-dev libdecor-0-plugin-1-cairo libdrm-dev libegl-dev libegl1-mesa-dev libffi-dev libgbm-dev
libgl-dev libgles-dev libgles1 libglib2.0-dev libglib2.0-dev-bin libglu1-mesa-dev libglvnd-core-dev libglvnd-dev libglx-dev libibus-1.0-dev libice-dev libmount-dev libopengl-dev libpciaccess-dev libpcre16-3 libpcre2-16-0 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libpthread-stubs0-dev libpulse-dev libsdl2-2.0-0 libsdl2-dev libselinux1-dev libsepol-dev libsm-dev libsndio-dev libsndio7.0 libudev-dev libwayland-bin libwayland-dev libx11-dev libxau-dev libxcb1-dev libxcursor-dev libxdmcp-dev libxext-dev libxfixes-dev libxi-dev libxinerama-dev libxkbcommon-dev libxrandr-dev libxrender-dev libxss-dev libxt-dev libxv-dev libxxf86vm-dev pkg-config uuid-dev x11proto-dev xorg-sgml-doctools xtrans-dev

During my installation of kbd-audio, I used the commands in Listing 11, which differ slightly from the documentation because I needed additional packages. Listing 11 resulted in lengthy output which completed successfully, as seen here:

-- Configuring done
-- Generating done
-- Build files have been written to: /root/kbd-audio/build

$ git clone https://github.com/ggerganov/kbd-audio
$ cd kbd-audio
$ git submodule update --init
$ mkdir build && cd build
$ apt install cmake -y
$ cmake .. # leave the dots in place

Finally, I ran the make command to compile the configured build files as shown in Listing 12. Because I cloned the repository under the root user's home directory, it was important that the compiled commands were executed under the repo's build directory (in my case, /root/kbd-audio/build).

$ make
[  2%] Building CXX object CMakeFiles/Core.dir/common.cpp.o
[  4%] Building CXX object CMakeFiles/Core.dir/audio-logger.cpp.o
[  6%] Linking CXX static library libCore.a
[  6%] Built target Core
[  8%] Building CXX object CMakeFiles/Gui.dir/common-gui.cpp.o
[ 10%] Building CXX object CMakeFiles/Gui.dir/imgui/imgui.cpp.o
[...]
[100%] Linking CXX executable compress-n-grams
[100%] Built target compress-n-grams

To begin surveilling ambient noise in the room (turn up your microphone to maximum volume for the best results), use:

$ ./record-full output.kbd

Figure 4 shows an excerpt of the recording output.

Figure 4: Capturing keyboard audio.

To play back the keystrokes, run the following command in another terminal, again in the same directory:

$ ./play-full output.kbd

Figure 5 shows what kbd-audio recorded. When I played back the audio from my recording, I could hear my erratic typing noises with external ambient sounds cleverly faded out.

Figure 5: Playing back the recorded audio.

The kbd-audio GitHub repo offers advice on how to get graphical output from its acoustic keylogging activities. There is also an easy-to-use online demo [11] for kbd-audio's keytap tool. Using this demo, I entered a few lines of text and hit the Predict button, and a graphical representation appeared for some of the typed characters as shown in Figure 6. The output in Figure 7 shows how keytap learns from the sounds it receives. Finally, a YouTube video [12] on keytap provides additional information.

Figure 6: After receiving and analyzing the keyboard input, keytap highlights the relevant keys.

Figure 7: The learning process occurring under the hood for keytap.

As mentioned earlier, depressing a key on a keyboard and it springing back is how sounds are analyzed. Figure 8 shows kbd-audio's representation of what that looks like in a sound file.

Figure 8: The ups and downs of keys when typing (source: https://ggerganov.github.io/jekyll/update/2018/11/30/keytap-description-and-thoughts.html).

Two's a Crowd

You'll find two other evolutions of keytap in the kbd-audio repo. The second evolution, keytap2, does not require training data. (I'm sure you can see the significant benefits of this iteration of the tool.) Instead of using training data, keytap2 references statistical information in relation to the n-gram frequencies involved. An n-gram is a series of adjacent letters [13]. For a treatise on how keytap2 works, see [14].

You can test out keytap2 in Gerganov's Capture The Flag (CTF) competition [15], where successful users enter a Hall of Fame. A keytap2 online demo [16] offers helpful instructions to get you up and running after clicking the Init button.

Three and Magic Numbers

The final version in the kbd-audio repo is keytap3, which improves on the algorithm and provides better n-gram statistics. In addition, keytap3 no longer requires manual intervention during text recovery – it is fully automated.

To see how keytap3 works, you can watch a 90-second YouTube video [17]. If you're not concerned about acoustic keylogging after watching this video, then you are clearly less concerned with cybersecurity than I am.

You can also try out keytap3 using an online GUI [18]. To get started with the demo, press the Init button and then provide your browser with the correct permissions when prompted.

Finally, an online test [19] lets you check your keyboard's security. You type 100 characters and then press Init to get your results (Figure 9). You can also play back your recording over your speakers if desired. In testing my keyboard, I found the results worrying but not fully accurate. I suspect using old hardware is a blessing in this case.

Figure 9: The results of a keyboard vulnerability test.