How Your Typing Style Betrays Your Online Anonymity

fingers typing

Tor seemed like the perfect anti-hacker tool.

Shorthand for “the onion router”, the Tor network became popular among activists, law enforcement officers, and even ordinary citizens around the world for its ability to cover web surfers’ tracks. Essentially, Tor cloaks online data underneath layers of encryption and sends it through a random group of computers that run Tor. The first computer in the group is known as the “guard,” while the last is known as the “exit machine.” As the data passes from one computer to the other, the layers of encryption get peeled off one by one, until it arrives at the exit machine, where its true destination site can be safely revealed.

In addition, Tor offers a “hidden service,” which allows activists to collect sensitive news items and share them with a select group of users, all without being indexed by search engines. But, as researchers from the Massachusetts Institute of Technology (MIT) and the Qatar Computing Research Institute (QCRI) will demonstrate at the upcoming Usenix Security Symposium, there are cracks in this system.

The Mole in the Wall

According to a report from MIT, it’s still possible for hackers to deduce the location of the guard and exit machines. All they have to do is plant enough computers within a Tor network, analyze the traffic patterns of the data, and pinpoint possible guard and exit machines with 88 percent accuracy. In other words, there’s no need for the hackers to dismantle data encryption at all.

Furthermore, Tor, by default, enables JavaScript, which has been known to host malware that records keystrokes and mouse clicks. This is particularly problematic, since most sites run JavaScript automatically, and this can be used to spy on the processor caches of 80 percent of desktop computers.

In Tor’s defense, they advise users to combine firewalls and sandboxes for their Tor bundles, so that threats from JavaScript-based malware can be minimized. They also warn, however, that if users disabled scripts for certain websites, and enabled them for others, their online footprints can still be mapped out through their “whitelisted” sites. As of this writing, Tor is developing a bundle that’ll make it easier for users to customize their JavaScript settings.

Until then, users have the freedom to weigh the pros and cons of JavaScript, and adjust their browser settings accordingly.

A History of Keystroke Dynamics

The idea of profiling a person through their keyboard strokes—known as “keystroke dynamics”—isn’t new. According to a paper by Gaines, et al, (1980), the concept of keystroke dynamics dates as far back as the era of the telegraph, where operators could be identified by their unique tapping style. This phenomenon was known as the Fist of Sender.

Gaines’ paper documents an experiment on seven secretaries, who were instructed to type three 300-400 word passages in two different sessions, four months apart. The positive results pioneered the idea that keystroke dynamics could be used as a means of authentication. This was the same conclusion arrived at by a project of the National Bureau of Standards (NBS)—now known as the National Institute of Standards and Technology (NIST)—and SRI International. Since then, username-and-password verification was patented in 1989, and our concept of security changed forever.

Of course, this has the potential to be exploited by unscrupulous individuals.

In a blog post dated July 27, 2015, Per Thorsheim wrote about how keystroke dynamics was “really interesting” and useful for security. At the same time, he was unsettled at how a demo site was able to create a biometric profile of him using his keystroke style—even when he used Tor. If that profile falls into the hands of hackers, he says, it can be used to identify unsuspecting individuals in other sites, where identifiable information is available on them.

It’s not only hackers that’ll benefit from keystroke dynamics. Advertisers also take advantage of it to profile buyers, as well as other large institutions that have everything to gain from identifying users.

Nonetheless, users can look forward to more promising developments in the field of online security. For example, there’s the newly-released Hornet browser, which claims to provide more privacy at faster speeds than Tor. There are also the constant reminders for users to amp up their security, from no less than the tech giants themselves. After all of this, let’s hope that a 100-percent hacker-proof solution will be a reality in the near future.

Leave a Reply

Your email address will not be published. Required fields are marked *