Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that's designed to blunt the threat. The plugin caches the input keystrokes and after a brief delay relays them to the website in at a pseudo-random rate. Thorsheim, a security expert who organizes the annual PasswordsCon conference, and Moore, an information security consultant at UK-based Urity Group, conceived the plugin after thinking through all the ways the typing profiles could be used to compromise online anonymity.

Profiling Tor users

"The risk may seem small when you consider one single website collecting this type of information," Runa Sandvik, an independent security researcher and former Tor developer, told Ars. "The real concern with behavioral profiling is when it is being done by multiple big websites owned by the same company or organization. The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less."

Sandvik said she visited this profiling demo site using a fully updated Tor browser, and the site was able to construct a profile of her unique typing habits. That means Tor-anonymized websites—either because their operators are malicious or are cooperating with law enforcement agencies—can use similar profiling scripts that track people across both public and darkweb destinations. While the Tor browser limits the amount of JavaScript that sites can run, it allowed all the code needed to make the demo profiling app work during Sandvik's experiment. Had JavaScript been disabled altogether, the profiling would have been blocked. So while blocking JavaScript is useful, that approach might not make a difference against a profiling app that found a means other than JavaScript to measure typing characteristics.

The gathering of unique keystroke characteristics is an example of what's known as behavioral biometrics, or the measurement of something a person does, such as speaking, walking, or typing. So far, Thorsheim and Moore say, several banking websites appear to be using keystroke profiling to perform an additional layer of authentication on site users. In theory, such an approach could allow the sites to detect account hijackings, even when the attacker enters the correct username and password. Given the potential benefit of behavioral biometrics, the Chrome plugin can whitelist specific websites that are using it for good. (Moore has more about the extension here.)

To be fair, behavioral biometrics is by no means a new field of study. As evidenced by this Slashdot thread from 2007, people have long recognized the potential of using it to identify people behind a keyboard. There's also a huge library of research papers showing how to profile and de-anonymize browsers connecting over Tor. Still, if banks and other sites can use the technique to create reliable and accurate profiles of customers, it stands to reason that governments around the world can and do profile people of interest.

"As soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you're using, where identifiable information is available about you," Thorsheim wrote in a blog post published Tuesday. "Your favorite government agency—pick your country—could set up spoofed and fake pages on the darkweb as well as in the real world, in order to identify people across them. For oppressive regimes, this is most certainly of high interest."

Listing image by Adikos.