kbd-audio

Actions Status

This is a collection of command-line and GUI tools for capturing and analyzing audio data.

Keytap

The most interesting tool is called keytap - it can guess pressed keyboard keys only by analyzing the audio captured from the computer’s microphone.

Check this blog post for more details:

Keytap: description and some random thoughts

Video: short demo of Keytap in action

Try it online:

Keytap2

The keytap2 tool is another interesting tool for recovering text from audio. It does not require training data - instead it uses statistical information about the frequencies of the letters and n-grams in the English language.

A more detailed description of the tool is available here: Keytap2 discussion

Video: short demo of Keytap2 in action

CTF: can you guess the text being typed?

Try it online:

Keytap3

This version introduces significant algorithm improvements and better n-gram statistics compared to keytap2. The attack is now fully automated and does not require any manual intervation during the text recovery process.

Video: short demo of using Keytap3

Video: another example of using Keytap3

GUI for Keytap3

Check if your keyboard is vulnerable to Keytap:

What people say about Keytap

“This works incredibly well.
I hope you realize what you’ve created (and made available to every person in the world).” – ffpip

“I just tried it and it works incredibly well. It kind of makes me want to stop using a mechanical keyboard.” – Karawebnetwork

“This attack and Van Eck phreaking are why Edward Snowden, while typing passwords and other sensitive information, would pull a blanket over himself and his laptop.” – aarchi

“This is what mechanical keyboard users deserve” – super guy

“fuck..” – Lluis Franco

Build instructions

Dependencies:

  • SDL2 - used to capture audio and to open GUI windows libsdl

    [Ubuntu]
$ sudo apt install libsdl2-dev
    
[Mac OS with brew]
$ brew install sdl2
    
[MSYS2]
$ pacman -S git cmake make mingw-w64-x86_64-dlfcn mingw-w64-x86_64-gcc mingw-w64-x86_64-SDL2

  • FFTW3 (optional) - some of the helper tools perform Fourier transformations fftw

Linux, FreeBSD, Mac OS, Windows (MSYS2 + MinGW)

git clone https://github.com/ggerganov/kbd-audio
cd kbd-audio
git submodule update --init
mkdir build && cd build
cmake ..
make

Tools

Short summary of the available tools. If the status of the tool is not stable, expect problems and non-optimal results.

Name

Type

Status

record

text

stable

record-full

text

stable

play

text

stable

play-full

text

stable

view-gui

gui

stable

view-full-gui

gui

stable

key-detector

text

stable

keytap

text

stable

keytap-gui

gui

stable

keytap2-gui

gui

stable

keytap3

text

stable

keytap3-gui

gui

stable

-

extra

-

guess-qp

text

experiment

guess-qp2

text

experiment

keytap3-multi

text

experiment

scale

text

experiment

subreak

text

experiment

key-average-gui

gui

experiment

keytap2

text

experiment

Tool details

  • record-full

    Record audio to a raw binary file on disk

    ./record-full output.kbd [-cN]

  • play-full

    Playback a recording captured via the record-full tool

    ./play-full input.kbd [-pN]

  • record

    Record audio only while typing. Useful for collecting training data for keytap

    ./record output.kbd [-cN] [-CN]

  • play

    Playback a recording created via the record tool

  • keytap

    Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool.

    ./keytap input0.kbd [input1.kbd] [input2.kbd] ... [-cN] [-CN] [-pF] [-tF]

  • keytap-gui

    Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool. GUI version.

    ./keytap-gui input0.kbd [input1.kbd] [input2.kbd] ... [-cN] [-CN]

    Online demo: https://keytap.ggerganov.com

  • keytap2-gui record.kbd n-gram-dir [-pN] [-cN] [-CN]

    Detect pressed keys via microphone audio capture. Uses statistical information (n-gram frequencies) about the language. No training data is required. The ‘record.kbd’ input file has to be generated via the record-full tool and contains the audio data that will be analyzed. The ‘n-gram-dir’ folder file has to contain n-gram probability files for the corresponding language.

    ./keytap2-gui record.kbd ../data

    Online demo: https://keytap2.ggerganov.com

  • keytap3

    Fully automated recovery of unknown text from audio recordings.

    ./keytap3 input.kbd ../data [-cN] [-CN] [-pF] [-tF] [-FN] [-fN]

    Online demo: https://keytap3.ggerganov.com

  • keytap3-gui

    GUI version of the keytap3 tool.

    ./keytap3-gui input.kbd ../data [-cN] [-CN] [-pF] [-tF] [-FN] [-fN]

    Online demo: https://keytap3-gui.ggerganov.com

  • view-full-gui

    Visualize waveforms recorded with the record-full tool. Can also playback the audio data.

    ./view-full-gui input.kbd [-pN]

    view-full-gui

  • view-gui

    Visualize training data recorded with the record tool. Can also playback the audio data.

    ./view-gui input.kbd [-pN]

    view-full-gui

Feedback

Any feedback about the performance of the tools is highly appreciated. Please drop a comment here.