Two security researchers released a new Chrome extension this week that thwarts attempts to profile users based on a biometric.
Researchers Per Thorsheim and Paul Moore collaborated on KeyboardPrivacy, an add-on that injects random delays between presses on a keyboard, Moore said. Those delays, the researchers said, disarm attempts to build behavioral profiles based on a person’s typing pattern that are in turn used as authenticators on some websites, particularly in the U.K.
There are times, the researchers argue, where these authentication mechanisms–which cannot be changed in the same way a password can be changed–are not welcome. For example, Thorsheim presented an example of a scenario where he created a profile of his keystrokes on a demo site using the Tor browser. He then switched to Chrome and away from the Tor browser, and the demo site still identified him correctly, negating the privacy of the anonymity tool.
Subtle nuances in the way people type, how long keys are depressed and how long between each key press are the building blocks of these behavioral profiles used in authentication schemes. If a profile were stolen, it one day may prove more troublesome than a stolen password.
The extension artificially alters the rate in which the information entered by users reaches the document object model (DOM). By anonymizing – so to speak – how individuals type, Thorsheim and Moore hope the tool will frustrate the construction of such behavioral profiles.
Thorsheim said he has had the idea for the extension for a few years, but it wasn’t until last week that he was able to fully conceptualize it with Moore, a friend of his from the U.K. As Thorsheim pulled the extension together in his head, he visualized it working with a similar degree of anonymity as the Tor network.
“Build a piece of hardware that will collect all my keystrokes, cache them for some brief milliseconds, and pass them on to the computer at a certain constant pace,” Thorshiem wrote, “All keystrokes appear equal, just like all TOR Browsers initially appear equal.”
Moore, who did the coding for the extension, demonstrated the plugin and how it was able to trick a keyboard behavior biometrics website in a YouTube video this week:
Moore was ultimately able to piece the extension together, using a scant amount of code, over the course of a few days. “If you strip away the fundamentals required to make a Chrome extension, the code is just 13 lines long and has proven to be quite robust so far,” Moore remarked.
The idea of websites using browsers and keystrokes to identify users isn’t so far-fetched. As the researchers point out, a handful of banks – predominately in the U.K., are purportedly already using keystroke profiling to add an additional layer of authentication to their sites.
“As soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you’re using, where identifiable information is available about you,” Thorsheim warned.
