This work addresses the limitations of traditional keyboard side-channel attacks, which rely on proximity sensors and user-specific training data, thereby compromising stealth, long-range operation, and cross-user generalization. The authors propose RadKey, a system that leverages passive RF backscatter tags to capture keystroke-induced vibrations and acoustic signals. By employing a magnetically coupled dual-LC resonator architecture, RadKey separates excitation and echo spectra and modulates the sensed signals into distinct backscatter frequency shifts. Integrating user-agnostic time–frequency feature extraction, RF self-interference suppression, and an LLM-driven pseudo-labeling mechanism for online fine-tuning, RadKey achieves, for the first time, through-wall, long-range, and training-free keystroke inference without requiring prior data from the target user. Experimental results demonstrate high accuracy and strong robustness in real-world multi-user scenarios.

In today's digitally connected world, keyboards remain the primary interface for inputting sensitive information, making them a persistent target for eavesdropping attacks. While prior keystroke inference techniques have exploited side-channel signals such as acoustics and vibrations, they typically rely on conspicuous, short-range sensors and require victim-specific data for model training, limiting their practicality, scalability, and stealth. In this paper, we present RadKey, an RF backscatter system for covert, long-range, through-wall keystroke eavesdropping. RadKey comprises two components: a compact batteryless backscatter tag and an RF reader. The tag captures keystroke-induced vibrations and acoustic signals, modulating them onto the frequency shift of its backscattered RF signal using two magnetically-coupled LC resonators. This design also enables spectral separation between the excitation and backscatter signals, mitigating self-interference for the RF reader and thus extending eavesdropping range. The RF reader demodulates the backscattered RF signal to infer typed content. It employs a dedicated signal processing pipeline that extracts user- and keyboard-independent keystroke features across time and frequency domains, enabling strong generalizability. To further enhance adaptability, RadKey integrates an LLM for online adaptation, leveraging LLM outputs as pseudo ground-truth labels to refine the classifier during runtime. We have built a prototype of the full RadKey system and evaluated it through extensive over-the-air experiments. Results show that RadKey achieves accurate and robust keystroke inference across diverse users in real-world settings. A demo video is available at: https://radkey-submission.github.io/RadKey/