In today's digitally connected world, keyboards remain the primary interface for inputting sensitive information, making them a persistent target for eavesdropping attacks. While prior keystroke inference techniques have exploited side-channel signals such as acoustics and vibrations, they typically rely on conspicuous, short-range sensors and require victim-specific data for model training, limiting their practicality, scalability, and stealth. In this paper, we present RadKey, an RF backscatter system for covert, long-range, through-wall keystroke eavesdropping. RadKey comprises two components: a compact batteryless backscatter tag and an RF reader. The tag captures keystroke-induced vibrations and acoustic signals, modulating them onto the frequency shift of its backscattered RF signal using two magnetically-coupled LC resonators. This design also enables spectral separation between the excitation and backscatter signals, mitigating self-interference for the RF reader and thus extending eavesdropping range. The RF reader demodulates the backscattered RF signal to infer typed content. It employs a dedicated signal processing pipeline that extracts user- and keyboard-independent keystroke features across time and frequency domains, enabling strong generalizability. To further enhance adaptability, RadKey integrates an LLM for online adaptation, leveraging LLM outputs as pseudo ground-truth labels to refine the classifier during runtime. We have built a prototype of the full RadKey system and evaluated it through extensive over-the-air experiments. Results show that RadKey achieves accurate and robust keystroke inference across diverse users in real-world settings. A demo video is available at: https://radkey-submission.github.io/RadKey/

翻译：在当今数字互联的世界中，键盘仍是输入敏感信息的主要界面，这使其持续成为窃听攻击的目标。尽管先前的击键推理技术利用了声学、振动等侧信道信号，但它们通常依赖显眼的短距离传感器，并需要受害者特定数据进行模型训练，从而限制了其实用性、可扩展性和隐蔽性。本文提出RadKey——一种用于隐蔽、远距离、穿墙击键窃听的RF反向散射系统。RadKey由两部分组成：一个紧凑的无电池反向散射标签和一个RF读取器。该标签通过两个磁耦合LC谐振器，将击键引起的振动和声学信号调制到其反向散射RF信号的频移上。该设计还能实现激励信号与反向散射信号的频谱分离，从而减轻RF读取器的自干扰，进而延长窃听距离。RF读取器解调反向散射RF信号以推断输入内容，并采用专用信号处理流水线，在时域和频域上提取与用户及键盘无关的击键特征，从而实现强泛化能力。为进一步增强适应性，RadKey集成LLM进行在线自适应，将LLM输出作为伪真实标签以在运行时优化分类器。我们构建了完整RadKey系统原型，并进行了大量无线实验评估。结果表明，RadKey在真实场景中针对不同用户实现了准确且鲁棒的击键推理。演示视频见：https://radkey-submission.github.io/RadKey/