Alternet reports that security expert Per Thorsheim gave a talk on the technique during the recent PasswordsCon conference. Thorsheim founded the event to make it easier to find and share information on the best ways to protect user data.
It has been known for some time that each individual person has their own unique style of typing on a keyboard. Although it may vary between keyboard used, typing scenario and posture, the general rhythms have been found to be mostly consistent and generally sufficient to identify the typist.
Simple methods of analysing keyboard usage are based around software techniques such as detecting how long keys are held for and the delay between pressing each key of a complex shortcut sequence. In a study involving Swedish security firm BehavioSec, researchers found these metrics can be used to identify a keyboard user with 99.7 percent accuracy.
This powerful capability could be used to make systems more secure. By collecting data about the keystrokes used to enter a password, a website could prevent people from guessing or stealing a user’s password by verifying the typing patterns of the person trying to login. If they match the user’s then access would be granted.
Otherwise, the impostor would be locked out and the account shielded, despite the intruder having access to the user’s password. The technique would be much simpler than traditional two-factor authentication which requires users to wait for a code to arrive on their phone when logging into a service on a new device.
However, there are some major concerns. If cybercriminals stole the database of user typing patterns from a company like Google then they would be able to identify millions of people on any device they used. Traditional methods of password cracking could then be employed to gain access to the account.
Such a scenario could make a login system reliant on keystroke profiling less secure than one that doesn’t. By obtaining the key pattern database from one site, any hacker would be able to control access to all of the user’s keystroke-reliant online accounts.
Thorsheim has developed a plug-in for the Google Chrome browser that masks keystroke data and makes it harder for websites to decipher it. Created in conjunction with security researcher Paul Moore, Keyboard Privacy is currently in an early release status and can require some technical knowledge to get started, according to user reviews.
Keystroke profiling isn’t likely to be used by cybercriminals for some time. Currently, there is no established method of tracking key delays across devices and certainly no service storing the data and using it for account security. Other modern ways of tracking users are beginning to appear though, including one that could affect mobile users of websites.
HTML5, the latest incarnation of the language behind webpages, includes support for new APIs that allow developers to access the battery status of a device. This feature will allow the creators of future web apps to tailor content to a user’s remaining battery, perhaps opting to darken colours, use less media or halt video playback if charge falls below a certain level.
However, a paper published last month presented some concerning findings about how the innocent API could be exploited to allow hackers to track users. It found that a flaw in the Linux version of the Firefox web browser caused it to return exceedingly accurate remaining battery levels instead of the two decimal places of other platforms.
This extra precision forms the basis of the exploit as it allows web developers to track minute changes in the charge level of a battery. It makes it possible to monitor the tiny loss of charge that occurs continually as a device is used. Invisible to the user who sees an integer value such as “9%” in their device’s status bar, Firefox was returning values like “0.9301929625425652”.
The researchers found that a malicious developer who created a script and used it on several websites could track individual users as they moved between them. By analysing the remaining battery charge of the device each time, it would be possible to link together separate visits to form a user profile, especially when joined with other easily accessible hardware details such as screen size and resolution.
Because the API exposes details including maximum capacity, charging time and discharging time, the researchers concluded that with sufficient effort a hacker could even identify a device that had left the site, been recharged and then returned again, using nothing more than the battery API.
Web browsers do not prompt to allow access to these features as they are part of the HTML5 specification and cannot be disabled. Although this issue has been fixed and only applied to the Linux version of Firefox, it is thought that such hardware-profiling techniques will make invisible tracking much more common over the next few years.
Security is very topical currently amid recent revelations of wide-spread government surveillance and reports of new cyber-attacks every week. Most people appreciate that their visits to websites can be easily logged and use in-browser privacy modes to defend against tracking. Soon, those defences could come to an end as criminals gain access to even more advanced techniques, combining how a user types with the embedded hardware details of their device to piece together a detailed profile that most people wouldn’t imagine is possible.
