top of page

I can hear your password…

British researchers have developed a deep learning model, a form of artificial intelligence (AI), which can use keyboard keystrokes to steal data.

The learning model was trained using a MacBook Pro, on which they pressed each key 25 times and recorded the sound it produced, and a smartphone nearby with the microphone turned on.

They also conducted the same activity during Zoom and Skype calls. Their results showed that the smartphone was 95% accurate at predicting the keystroke, while Zoom and Skype were 93% and 91.7% accurate respectively.

In simple terms, the AI was able to guess what was being typed from the sounds of the keys.

The implications of these findings suggest that anything that is typed such as passwords, private messages or even classified information could be leaked to a third party. Another scary aspect of this research is that the learning model can train itself using recordings.

Outside of research and development settings, this activity can be easily replicated using nearby microphones or malware with access to a devices microphone.

Even simpler still, a participant in a videocall could correlate the sounds of a keyboard and the information being shared in a chat box as a method to predict future keystrokes from sound alone.

There are ways of mitigating falling victim to this kind of activity. Initially, always be aware who is present in meetings, and be cautious of sharing information freely with people you aren’t familiar with.

While you may be cautious of your surroundings, someone else on your call may be inadvertently weakening your security.

Secondly, as was demonstrated by the researchers, it can be difficult to prevent this behaviour by implementing measures such as background or white noise or moving the keyboard away from potential listening devices.

Using alternative methods such as biometrics or password managers can provide the most security.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page