Computer scientists at the University of California (UC), Berkeley, have discovered a new security threat concerning keyboard clicks, wherein a simple audio recording of these clicks can betray the text that has been just entered, be it a password or a love note!

In an experiment, the researchers took 10-minute sound recordings of users typing at a keyboard, fed the audio into a computer and using an algorithm recovered upto 96 percent of the characters entered. Reportedly prior work has been done in this direction by IBM researchers Rakesh Agrawal and Dmitri Asonov, who managed to retrieve 80 percent of text from keyboard recordings.

According to Doug Tygar, professor of computer science and information management and principal investigator of this study, UC Berkeley, "It's a form of acoustical spying that should raise red flags among computer security and privacy experts. If we were able to figure this out, it's likely that people with less honorable intentions can - or have - as well."

The technique used by the researchers becomes feasible, due to the fact that each keystroke makes a relatively distinct sound, however subtle, when hit. Also, typical users can type about 300 characters per minute, which leaves enough time for a computer to isolate the sounds of individual keystrokes.

Li Zhuang, Ph.D. student in computer science and lead author of the study, UC Berkeley, said, "Using statistical learning theory, the computer can categorize the sounds of each key as it's struck and develop a good first guess with an accuracy of 60 percent for characters, and 20 percent for words."

"We then use spelling and grammar checks to refine the results, which increased the character accuracy to 70 percent and the word accuracy to 50 percent. The text is somewhat readable at this point", said Zhuang.

The process does not end there; the audio recording is played back repeatedly to "train" the computer to increase its accuracy. Once the PC is trained, recovering the text becomes simpler.

However, the researchers have admitted that they did not use the Control, Backspace, Shift or Caps Lock keys for their experiment, which means that the technique does have its own limitations.

Nevertheless the findings highlight a security hole that can be exploited, irrespective of the user's typing proficiency, type of keyboard used or background noise.

Commenting on the problem, Tygar said, "There are different forms of authentication that could be used, including smart cards, one-time password tokens or biometrics. That helps with passwords, but it doesn't help protect text documents we would want to keep classified. I'm not sure what the solution is, but it's important that we're aware of this vulnerability."