Skip to main content

Malboard: Hackers can now pose as victims through their keyboards

Alexa, are keyboards going extinct? Wishful thinking, maybe, but according to a recent survey there's broad support for voice technology over tactile interfaces.

A new form of cyberattack has been developed by researchers which is able to mimic a user's identity through their keystrokes.

The continual evolution of cyberattacks and their increasing sophistication has led to a situation where signature-based antivirus products are no longer enough.


A multi-layered approach to personal security -- including two-factor authentication (2FA) -- is slowly becoming commonplace in order to reduce our reliance on passwords alone.

The idea of verifying our identity through behavioral patterns, such as through keystrokes or mouse movements, is also being explored, but as Ben-Gurion University of the Negev (BGU) Malware Lab researchers have revealed, no single security solution is foolproof.

On Wednesday, the team said they have developed a new form of attack, dubbed Malboard, which is able to evade detection products "that are intended to continuously verify the user's identity based on personalized keystroke characteristics."

See also: CCTV cameras enslaved to infiltrate air-gap networks

It is not just the speed of keystrokes which can be used to verify a user -- how we respond to typographical errors and whether or not we tend to mistype particular characters are behavioral elements which can be used to verify our identity, too.  

In a paper published in the academic journal Computer and Security, available online, BGU showed how a compromised keyboard can be used to generate and send malicious keystrokes which mimic its victim.

The team used keyboards developed by Microsoft, Lenovo, and Dell in their research. The aim was to fool KeyTrac, TypingDNA and DuckHunt, which are all risk-based behavioral authentication systems.

These forms of software use AI-based algorithms and machine learning to analyze our keystrokes in order to add another layer of verification to user accounts. However, these same algorithms can also be used to fool them.

In order to develop Malboard, the team used behavioral data generated from 30 participants performing three different keystroke tests. This information was fed into the attack's underlying AI database and algorithms created by the system were pitted against the detection software.

A keyboard infected with Malboard was able to automatically generate keystrokes in the style of the participants by injecting keystroke movements "as malicious software." In 83 to 100 percent of the tests, KeyTrac, TypingDNA, and DuckHunt were fooled.

TechRepublic: 6 questions to consider before implementing a disaster recovery plan

According to Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, Malboard would be particularly effective in two scenarios; remote attacks launched by hackers wirelessly, or by inside attackers -- such as disgruntled employees -- who would be able to physically launch Malboard on a keyboard to compromise an internal system.

The paper also proposes detection modules which could be used to improve keyboard-based verification, including power consumption monitoring, keystroke sounds, and typographical error detection.

CNET: Scam artists reportedly stole $19 million worth of iPhones

"Each of the proposed detection modules is capable of detecting the Malboard attack in 100 percent of the cases, with no false positives," Nissim added. "Using them together as an ensemble detection framework will ensure that an organization is immune to the Malboard attack as well as other keystroke attacks."

The best beach reads for hackers in 2019 SEE FULL GALLERY 1 - 5 of 8

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


I not to mention my guys ended up digesting the good tips and tricks located on your web site and then all of a sudden I had a horrible feeling I had not expressed respect to the web site owner for those tips. My young boys appeared to be totally excited to learn all of them and now have without a doubt been loving them. Many thanks for really being quite helpful and also for deciding on certain notable topics millions of individuals are really desperate to know about. Our own sincere regret for not saying thanks to earlier. jordan shoes

I definitely wanted to compose a quick comment so as to express gratitude to you for those great steps you are sharing at this website. My extensive internet research has at the end of the day been compensated with really good facts to talk about with my contacts. I would repeat that we visitors are quite blessed to dwell in a very good place with very many marvellous people with beneficial basics. I feel truly grateful to have used the site and look forward to some more enjoyable minutes reading here. Thanks a lot once again for all the details. nike air max 2017

I and my pals came reading the great suggestions on your web site then all of the sudden developed a horrible suspicion I never expressed respect to the site owner for those secrets. All of the young men happened to be for this reason warmed to study all of them and have very much been taking pleasure in them. Thanks for simply being quite thoughtful as well as for picking such excellent things millions of individuals are really wanting to be aware of. Our honest apologies for not expressing gratitude to sooner. adidas stan smith men

I would like to show some appreciation to this writer for bailing me out of such a matter. After browsing throughout the online world and finding solutions which are not powerful, I believed my entire life was done. Existing devoid of the strategies to the difficulties you have solved by way of your entire website is a crucial case, and ones which could have badly affected my career if I hadn't discovered your web page. Your personal natural talent and kindness in maneuvering almost everything was helpful. I don't know what I would have done if I had not encountered such a thing like this. It's possible to now look forward to my future. Thank you very much for your impressive and result oriented help. I will not be reluctant to endorse your site to any person who requires tips about this subject matter. christian louboutin shoes

Needed to draft you that very small observation to help thank you the moment again with your lovely methods you've shared at this time. This has been simply surprisingly open-handed of people like you to allow unreservedly precisely what a few individuals might have supplied for an e-book to earn some money for their own end, especially now that you could have done it if you ever considered necessary. The strategies as well worked to be a great way to comprehend many people have a similar desire just like mine to figure out significantly more in regard to this problem. I am certain there are many more enjoyable periods up front for individuals who looked over your site. valentino shoes

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
The comment language code.