Slashdot Mirror
The Keyboard That Could Phone Home
An anonymous reader writes "University of Pennsylvania researchers have developed a keylogger they call the JitterBug that can modulate passwords or other information into normal traffic by adding imperceptible delays to keypresses as people use keyboard and network-intensive apps like telnet and remote desktop. The idea is that the delays in keypresses cause delays in packets, and data can be encoded in those delays. There's no software or extra network activity that the victim can see, but anyone who can see the traffic (even if it's encrypted) could grab the data. Here's the scary part: the researchers say that it could be manufactured into a keyboard, making these keyloggers widespread and virtually undetectable."
There was a talk at the university I was at about the security measures on US government firewalls, for particularly secure computers. Covert timing channels are one clear class of things that a very security firewall needs to protect against (not just for JitterBugs... trojans/viruses could try to communicate this way as well), and they did just that... changed the timing of the packets at the firewall to try to prevent covert timing channels from being possible.
If the information is contained in the 'gaps' between the traffic, buffer the traffic in hardware as it leaves the system. (Buffering and clocking the keypresses in hardware to remove the jitter may cause a percieveble lag). If the keyboard is the suspected source of the hidden jitter, then an inline clocked buffer could remove this, releasing the keypresses to the system at a uniform interval. If the system is suspected, buffering and clocking can be added at the system router.
There is a similar concept in advanced TEMPEST, analysis but we cant talk about that here....
The thing I don't get is how you distinguish the miniscule delay introduced with this system from the much larger delay between subsequent keypresses the user makes. I don't think most people type at such a consistent rate that you could plug this in and immediately start observing traffic. (I wouldn't be too surprised if you could do it after observing the person's typing habits for a long time... but that would be different for every person, so most likely impractical.)
I recall a story of someone who determined a co-workers password by listening to the timing of her keypresses.
"mickeymouse" m i c k e y mou s e
How much jitter has to be introduced into the packet stream to be detected as inserted delay and not network latency?
Pinging my own wireless router:
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.611/2.823/3.343/0.233 ms
--- google.com ping statistics ---
11 packets transmitted, 11 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.530/10.839/11.361/0.251 ms
--- yahoo.com ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 61.703/65.211/68.176/2.781 ms
Maybe the sample size isn't big enough, but how does one differentiate inserted delays from network latency? If the difference between the keystroke and the packet is the modulated data, how do you get this information to a recipient with to reference to when the keystroke was pressed? Maybe there's some fancy signal processing involved similar to spread spectrum, but that's never been a strong suit.
(Asked by a network simpleton)
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?