Researchers at the University of California at Berkeley have discovered more vulnerabilities in Secure Shell (SSH) which allow an attacker to learn significant information about what data is being transferred in SSH sessions, including passwords.

SSH was designed as a secure channel between two machines, based on strong encryption and authentication. But by observing the rhythm of keystrokes, and using advanced statistical techniques on timing information collected, attackers can pick up significant details.

Each keystroke from a user is immediately sent to the target machine as a separate IP packet. By performing a statistical study on a user's typing patterns, and applying a key sequence prediction algorithm, the researchers managed to successfully predict key sequences from inter-keystroke timings.

A password cracker program, dubbed Herbivore, was developed on the back of the research. Herbivore is capable of learning a user's password by monitoring SSH sessions.

"Unfortunately, SSH is not as bullet proof as one would hope. Our attack shows that an eavesdropper can learn sensitive information about a user's data, such as passwords, over SSH," said Dawn Xiaodong Song, one of the researchers.

Another vulnerability allowing remote access to SSH accounts with two character passwords was also discovered last week.

A white paper, entitled Timing Analysis of Keystrokes and Timing Attacks on SSH, is available here.