Malboard: Unsurprisingly, AI Can Now Imitate Your Typing
Cybersecurity is a constant cat and mouse game between hackers and cyber defenders. As the defenders create a new strategy for detecting and defending against a new attack vector, the attackers find a way to bypass or overcome these defenses. As long as there is a good motivation to do so, hackers will continue to attempt to compromise legitimate systems.
With the growing value of data (the “new oil”), hackers will never lack incentives to find new vulnerabilities. As a result, cybersecurity in general (and data security in particular) are important priorities for cyber defenders and the organizations that they protect.
One of the biggest challenges for cybersecurity practitioners is securing user authentication systems. The goal of these systems is simple: let the good guys in and keep the bad guys out. Achieving this is complicated by the fact that these systems also have to be usable. People don’t want to create and manage a bunch of secure passwords, so they don’t bother and hackers break in. As a result, the burden is on developers to create systems that are both as secure as possible while being usable enough that users won’t try to bypass their protections.
Authentication security has gone through several different iterations. Passwords were first but are insecure due to poor password management practices. Two-factor authentication can be effective, but relies on people being willing to use the more secure variants (since SMS-based 2FA is known to be insecure). Some enterprises have tried user behavioral analytics to detect compromises, but the effectiveness depends on the type used. A new attack, called Malboard, threatens to break one common variant.
The Threat of Malboard
Malboard is a proof of concept attack published by a number of cybersecurity researchers in the journal Computer and Security. This potential malware uses artificial intelligence to learn and mimic a person’s typing patterns on a computer keyboard. The purpose of this mimicry is to allow the attacker to send malicious keystrokes that appear to be coming from the authorized user.
Accurately mimicking user keystrokes is a complicated problem. Modern keystroke monitoring systems detect a variety of different indicators to fingerprint a user, including:
- Typing speed
- Response to typing errors
- Common errors made (i.e. letter substitutions)
Using example typing data collected from thirty subjects, the Malboard researchers trained their AI system to mimic the exact features monitored by common detection systems. The AI was successful in mimicking these and can be used in a variety of different situations, including remote attacks and in-person attacks by a disgruntled employee that uses a Malboard-infected keyboard to gain unauthorized access to another user’s account. After developing the Malboard proof of concept malware, the researchers suggested several different features that can be effectively incorporated into these monitoring solutions to make them more effective, including:
- Keyboard power consumption
- Keystroke sound
- User’s ability to respond to typing errors
The Malboard researchers determined that these three features, in combination, could detect their malware and protect an organization against Malboard. However, most modern keystroke monitoring systems do not include these inputs, making them vulnerable to Malboard.
Impacts on Account Security
Artificial intelligence being able to imitate your typing style doesn’t seem like a big deal. In fact, if the typing actually makes sense, it might be helpful in creating the end of month reports. However, the Malboard attack can actually have an impact on your account security.
Most organizations use passwords to manage access to their sensitive data. Passwords are simple to use and, generally, they work. However, password-based security has been growing weaker and weaker. People use weak passwords or reuse the same password across multiple accounts, and the vast number of recent data breaches gives hackers a wide variety of potential passwords to try when attempting to break into an account.
As a result, organizations are increasingly turning to behavioral monitoring as a potential solution to the password insecurity problem. One of the methods used is the aforementioned keystroke monitoring. Everyone types slightly differently (just think of the difference between a properly trained typist and two-finger typist), and these differences can be used as a fingerprint to identify the legitimate user.
However, Malboard breaks all of this. The researchers who created Malboard tested it against three different keystroke monitoring tools: KeyTrac, TypingDNA, and DuckHunt. In their tests, Malboard was able to evade detection in over 83% of all trials. Keystroke-based user authentication is no longer secure thanks to Malboard’s AI.
Protecting Your Data
Malboard is an effective AI for mimicking the keystroke behaviors of users, one of several ways that organizations supplement or replace their password-based access control mechanisms. As a result, these mechanisms are no longer reliable for detecting malicious use of a user’s keyboard. By mimicking the user’s typing patterns, Malboard can insert malicious commands into a computer without detection.
However, keystroke detection is only one method of using user behavior as a fingerprint for authenticating valid users and identifying illegitimate ones. Malboard is an effective attack vector since it is largely content-agnostic: the detection engines don’t care what you type as long as you type it “in the right way”. This isn’t the case for other detection solutions, and, if you can prevent an attacker from doing anything malicious on your system without detection, it’s much less of a problem that they got inside in the first place.