Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Keyboard That Could Phone Home

Posted by ryuzaki0 on from the blueprints-coming-to-a-torrent-near-you dept.

An anonymous reader writes "University of Pennsylvania researchers have developed a keylogger they call the JitterBug that can modulate passwords or other information into normal traffic by adding imperceptible delays to keypresses as people use keyboard and network-intensive apps like telnet and remote desktop. The idea is that the delays in keypresses cause delays in packets, and data can be encoded in those delays. There's no software or extra network activity that the victim can see, but anyone who can see the traffic (even if it's encrypted) could grab the data. Here's the scary part: the researchers say that it could be manufactured into a keyboard, making these keyloggers widespread and virtually undetectable."

66 of 287 comments (clear)

  1. Could you get around this... by Saint+Aardvark · · Score: 5, Insightful

    ...by adding your own random jitter to outgoing packets? I'm thinking of something like an option in OpenBSD to do this for all TCP connections, say.

    --
    Carousel is a lie!
    1. Re:Could you get around this... by interiot · · Score: 5, Interesting

      There was a talk at the university I was at about the security measures on US government firewalls, for particularly secure computers. Covert timing channels are one clear class of things that a very security firewall needs to protect against (not just for JitterBugs... trojans/viruses could try to communicate this way as well), and they did just that... changed the timing of the packets at the firewall to try to prevent covert timing channels from being possible.

    2. Re:Could you get around this... by russ1337 · · Score: 3, Interesting

      If the information is contained in the 'gaps' between the traffic, buffer the traffic in hardware as it leaves the system. (Buffering and clocking the keypresses in hardware to remove the jitter may cause a percieveble lag). If the keyboard is the suspected source of the hidden jitter, then an inline clocked buffer could remove this, releasing the keypresses to the system at a uniform interval. If the system is suspected, buffering and clocking can be added at the system router.

      There is a similar concept in advanced TEMPEST, analysis but we cant talk about that here....

    3. Re:Could you get around this... by NemosomeN · · Score: 5, Funny

      The more likely workaround would be devices you put between your keyboard and the computer. Easier? No. Cheaper? No. Marketable? Maybe.

      --
      I hate grammar Nazi's.
    4. Re:Could you get around this... by wall0159 · · Score: 4, Informative

      Well, probably. But what you're doing is just adding noise to the system - this can be circumvented by just taking longer to send the time-based data (ie send the data with greater redundancy, so that it's more noise tolerant). Also, adding jitter would slow the network connection because you can't make transmission faster, you can only slow it by the mean delay of your introduced noise.

      A more effective method would be to use a method of transmission that wasn't time-dependent on what the user typed. For example, ssh could be designed so that it sent a packet every 100ms (whatever - I don't know the specific time) regardless of what the user had typed. I think this would render this attack useless, but would still introduce some latency...

      The article says 'In applications such as telnet and remote desktop, a packet is sent every time a user presses a key' - is this the case with ssh too? I mean - surely *nobody* uses telnet for secure communications!

    5. Re:Could you get around this... by LincolnQ · · Score: 4, Interesting

      The thing I don't get is how you distinguish the miniscule delay introduced with this system from the much larger delay between subsequent keypresses the user makes. I don't think most people type at such a consistent rate that you could plug this in and immediately start observing traffic. (I wouldn't be too surprised if you could do it after observing the person's typing habits for a long time... but that would be different for every person, so most likely impractical.)

    6. Re:Could you get around this... by sploxx · · Score: 4, Insightful

      Maybe this is obvious, but anyway:

      This is also another reason for 100% open source code for any important part (which you use to transfer confidential information) of your computer.

      Especially for low-level parts like device drivers. Stallman wanted to have a free printer driver. Remember the yellow dots??

      I hope this is something which makes the closed source WLAN (it's working, it's ok) fans
      a bit quieter.

    7. Re:Could you get around this... by FhnuZoag · · Score: 4, Insightful

      No, you can't get around this, because if it's built into the keyboard, then it's a hardware thing, and any software based solution will be insufficient.

      But really, this whole issue is stupid. Built into the keyboard? WTF? If you allow a hostile agent to install hardware in your computer, then having a keylogger is the least of your worries. Where's the alarmist article about the possibility of keyboards with built in hand grenades?

      The system is also overcomplicated by far - for one, you are relying on people using telnet and remote desktop, which most home users do not. What advantages, if at all, does this tech hold over just modulating in delays with conventional traffic (e.g. HTTP requests)? Or other known systems of steganography? And don't forget that telnet is unencrypted in any case.

    8. Re:Could you get around this... by MajinBlayze · · Score: 3, Insightful

      Except that something like this wouldn't have to go into a driver. It could be a chip built into the keyboard, and as you type it adds a short delay. reading that delay is how it would work.

      --
      "Hate is baggage. Life's too short to be pissed off all the time." Danny Vinyard -American History X
    9. Re:Could you get around this... by charleschuck · · Score: 3, Informative
      The article says 'In applications such as telnet and remote desktop, a packet is sent every time a user presses a key' - is this the case with ssh too?

      Far be it from me to question the article, but I had been under the impression that Nagle's Algorithm had been designed to concatenate small buffers—such as telnet—to prevent them from necessarily sending a packet with each keypress.

      I am not a TCP stack guru (IANATCPSG?!), but it seems like, though this algorithm was designed to reduce congestion, it would upset a timing attack by having to wait for the ACK of the last packet—at least on high latency links.

      SSH, at least as of 2002, according to this e-mail, turns on TCP_NODELAY, which disables the algorithm to reduce latency of keypresses in a connection when it believes an interactive session has been started. Thus, SSH does indeed send a packet with each keypress.

    10. Re:Could you get around this... by jimicus · · Score: 2, Insightful

      Remember the yellow dots

      Yes. They're in the firmware of the printer, not the driver, so a free printer driver wouldn't make much difference in this case.
    11. Re:Could you get around this... by ichigo+2.0 · · Score: 2, Funny

      Just have a robot hit two keyboards at a time at equal rates.

      Why of course. Just let me jump in my flying car and go to the hypermarket on the moon, I hear robots are on sale there.

  2. Hmm... by bcat24 · · Score: 5, Funny
    This threat, however far-fetched, seems particularly relevant in light of the U.S. government's decision in May to use computers built by Lenovo only for processing unclassified data. The Chinese government owns 28% of Lenovo, information that has sparked fears of espionage. As it turns out, numerous keyboards are also manufactured in China.
    With Communist computer, keyboard spy on YOU!
    1. Re:Hmm... by madcow_bg · · Score: 2, Funny

      In Russia, YOU spy on the keyboard!

    2. Re:Hmm... by coaxial · · Score: 2, Insightful

      With Communist computer, keyboard spy on YOU!

      In freedom loving countries, keyboard KEEPS YOU SAFE!

      Be afraid! Or the terrorists' goal to make us change our lives and live in terror will succeed!

    3. Re:Hmm... by megaditto · · Score: 2, Insightful

      Hey, I wonder if NSA/AT&T used Chinese boxes to wiretap citizens?

      Warrants or no warrants, but as a patriot, I sure hope they use 100% American?

      --
      Obama likes poor people so much, he wants to make more of them.
  3. manufactured by Anonymous Coward · · Score: 5, Insightful

    Couldn't any kind of virus or malicious "software" be manufactured in to many different hardware. It's the trust and accountability we have in companies that keeps this from happening in general. It's kind of crazy we would have to worry about something like that...

    1. Re:manufactured by bunions · · Score: 2, Interesting

      meh, maybe sorta.

      On reflection, I don't see how it'd be so out of the question for some engineer somewhere to add in a delay in the firmware unbeknownst to the employer. All he'd have to do then is install some free shell and/or IRC machines somewhere, maybe some altered game servers, something like that, and wait for someone with his compromised keyboards to walk in.

      Seems pretty straightforward, if you buy the initial premise that someone would do this. I don't see it working for a company. A person is smart and could pull this off. A group of people is stupid and would fuck it up somehow.

      --
      there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
    2. Re:manufactured by steve_l · · Score: 4, Informative

      yeah, laptops could implement this in the keyboard controller. Or even the USB hub could do it.

      you have to trust the pc vendors, as they have nothing to gain, and everything to lose, in lawsuits and lost sales. But what if their government comes along and says 'add this back door'. They'd comply.

      Case in point: Lotus notes put a back door in export versions of notes:
      http://catless.ncl.ac.uk/Risks/19.52.html#subj1

      they sent messages with 64 bit encryption (!), but 24 bits of the key was hidden in the message, where the NSA knew to look, or otherwise given to them. You only had 40 bit keys, which upset the swedish government.

      Moral: You cant trust closed source apps any more than closed source hardware.

    3. Re:manufactured by forgotten_my_nick · · Score: 2, Informative

      It wasn't so much a backdoor but as a way to comply with the export regulations at that time. You couldn't export 128bit encryption at that time but they could if NSA where given half the key.

      But this isn't just US doing this. France for example around that time only allowed 40bit keys to be used and Lotus had to comply with that too.

      Btw, Lotus have long since stopped doing this once it was legal to do so. (hence you post relates to 1997).

  4. Manufactured into a keyboard by Anonymous Coward · · Score: 5, Funny

    The "Made in Nigeria" had me worried, but with a quality name like Sony on the keyboard, I decided not to worry.

  5. it's your own damn fault by circletimessquare · · Score: 4, Funny

    ...i .blame ....the ..user ....for ..not ....being ....more .......vigilant .if .....this ..ever .....happened ..to .....me (..and ..it .....wouldn't) ...i ..wouldn't .....be ..blaming ....some ."hacker" ....for ..my ....own ..lax .......security

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  6. My question is... by jarg0n · · Score: 2, Interesting

    My question is why are University of Pennsylvania researchers developing keyloggers!!??

    --
    Error 2101: all your sig are belong to us
    1. Re:My question is... by AHumbleOpinion · · Score: 2, Funny

      To catch students logging into termpapersfor10dollars.com

    2. Re:My question is... by Firefly1 · · Score: 2, Informative

      If it's a choice between UP researchers developing this and educating relevant entities to the potential threat (and, of course, said entities taking prompt and appropriate action), and blackhats fielding it unbenownst to the world at large...
      Now what was your question again?

      --
      - White Knight of the Order of Mihoshi Enthusiasts
    3. Re:My question is... by EvanED · · Score: 2, Informative

      For the same reason that security researchers do any of their destructive research; the same reason that I'm just starting to study how to build a rootkit. People need to know what risk factors are present in decisions they make with regards to hardware, software, and configuration choices, and how to protect against those risk factors. If there were no white hat hackers, the black hats would ALWAYS be a step ahead because the white hats wouldn't be able to anticipate possible other attacks.

  7. Huh? by tgd · · Score: 4, Insightful

    Who uses telnet? And if they are, sniff the damn packets directly.

    And RDP is not a keystroke-per-packet, 100% of the time. Neither is SSH. Without that, you couldn't make any assumptions about the data you may have missed.

    Encryption latency, packet retransmissions upon collisions at routing equipement... there are 1000 reasons outside the lab this wouldn't be even remotely useful for tracking activity off the desktop, and there's way easier ways of doing it on the desktop.

  8. Re:Cool, where can I get the source? by dyamkovoy · · Score: 2, Informative

    I don't know about the source, but you can get the paper right here. It has a little more details than the article.

  9. Re:Cool, where can I get the source? by jumpingfred · · Score: 2, Insightful
    On a more serious note though..
    I always thought it was easier to just torture somebody for the password?

    Often times it might be nice to get the password without the victim's knowledge that the password is compromised.
  10. Re:Just spreading FUD by drinkypoo · · Score: 2, Informative
    Again, nice try, but it's not going to work in the real world.

    On the other hand, they performed a test, and it seems to have worked. No details on the test but you would really have to go through a lot of effort to be sure that in fact you had a good network connection and a steady typing cadence, and the test was between countries. FTFA:

    Researchers say that in tests, the JitterBug was able to transmit data from the University of Pennsylvania to the National University of Singapore fairly reliably.

    Provided there is sufficient traffic, who cares if you have a high error rate? Use error correction.

    Ordinarily I would raise the same objections, but I read the fine article, and am willing to accept that some people may be a lot smarter than I am, while it is patently obvious that some people are a lot better-educated.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. I think it's just as likely... by Anonymous Coward · · Score: 2, Interesting

    ...that US corporations would install these. The American government/corporations (same thing really) has clearly demonstrated their belief that people exist for them to prey upon.

  12. Very limited by stienman · · Score: 4, Insightful

    It would only work when the pressing of a single key causes the generation and transmission of a packet. Telnet is what they talk about, but most terminal programs would be vulnerable. Connecting to a mainframe is obvious, but you'd have the same problem with windows remote desktop, any remote client programs, etc. The SSL telnet program send passwords as a single packet, so that would prevent transmission of information during the password phase, but would not prevent it during interactive use.

    Normal websurfing, email, and desktop applications run on the computer itself (instead of remotely) would not pass any usable jitter information.

    Ajax web based applications could be vulnerable if they generate packets each time a key is pressed. Not many do this, but more will as time goes on.

    The key problems are:
    1) It can, at best, transmit 1 bit per keypress
    2) All of the intelligence would have to be in the keyboard for deciding *what* to send.

    Further, I haven't read the paper, but I don't see how this would work unless the user's typing patterns are very well known to the program, or the jitter introduced is significantly greater than 1/2 the average keypress to keypress time. This would be noticable to most people, though they would get used to it. This could be adaptive though, if you know that a particular keyboard is used by one user, and the keyboard spends a significant amount of its bandwidth on known patterns.

    Also, the keyboard cannot query the computer - the only information it could gain is what is typed in it. And since it could only get 1/7 of the possible information that's typed in (or perhaps 1/3 if good compression is used) then it wouldn't be able to get very much at all.

    All in all, it seems like a cool trick, but like tempest it requires some fairly specific conditions. For most things there are other ways that are likely easier, less detectable by the end user, and more informative than this one. But under appropiate conditions, it could be just the ticket.

    -Adam

  13. I'm skeptical, too. by alexhs · · Score: 2, Informative

    Here is the paper.
    A "Keyboards and Covert Channels" search on Google will give you the PDF, too.
    I don't have time to read it right now (time to sleep here in France ;) so if someone want to read and report his conclusion that I can read next morning...

    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  14. problems by Lord+Ender · · Score: 2, Informative

    If you're going through a router with any kind of load, it will add unpredictable delays of its own.

    Any crypto that relies on the timing of packets is going to have this problem, because IP makes no promises about packet timing (or even order!).

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  15. Re:Just spreading FUD by AHumbleOpinion · · Score: 2, Informative

    In order to read information out of my delayed key strokes, you'd have to know the cadence that I'd normally be typing at and then measure the deltas to get the bits.

    No, I don't think so. I am just making a guess, I have not read the article, but I think a simple "rounding" of your cadence would be enough. Pick a small time interval, round your actual timing to the nearest interval, done. For discussion purposes let's say the interval is 0.1s, encode a 0 bit as x.x3s and a 1 bit as x.x6s.

  16. Re:What about user -induced lag? by Bryansix · · Score: 2, Interesting

    Correct me if I am wrong but from how I understand it the rate at which you type does not matter. The jitter is added to network traffic and it probably has to do with the timing between two packets. The program could just make the jitter be in the off position when no data is being sent and in the on position when there is data to phone home with. It's very analog but it works.

  17. Yeah... by Kawahee · · Score: 2, Interesting

    A keyboard keylogger? "Scary". I think not. It's not like these people are going to bust into internet cafe's, pick the lock and change the keyboard without anybody noticing. Nor are they going to do it to somebody's personal PC ("Hey, my keyboard's different. Oh well..."). The only market I see for this is for corporations, and they can either use a hardware dongle, or have a software keylogger. They can also run the user in a sandbox that prevents them from detecting the software one, and the software one probably has more power in it anyway.

    Undetectable data transfer is at least worrying, not the fact you can embed it in the keyboard. Also, external hardware devices can't be plugged in and execute arbitrary code, which means you require software installed, which can be detected. Not such an undetectable spy device now, is it?

    --
    I'll subscribe to Slashdot when I see a month without a dupe, a typo, or an article the "editors" didn't read.
  18. Seems like an unlikely scenario by tji · · Score: 3, Insightful

    Maybe it's a proof of concept, or thought exercise, but I think there would be many hurdles against actually using this. Such as:

    - Discerning keyboard delays vs. user typing delays.
    - Discerning keyboard delays vs. network latency variability.
    - Getting the user to connect to a remote host using a direct keyboard interface like telnet. The much more common WWW connections do not expose keyboard input speed, the input is sent as one big request (unless you run some java app, or possibly other active code in the browser).
    - Compromising the network connection or destination host to expose the keyboard traffic.

    I'd say there are a whole lot of more likely exploits that are higher on my list of things to look out for.

  19. Trusted Input Device by NotQuiteReal · · Score: 4, Funny
    I don't trust anything that I didn't key into the front panel switches myself.

    This Trusted Input Device method, I call TID BITS, for short.

    --
    This issue is a bit more complicated than you think.
  20. Re:{sigh} by Elemenope · · Score: 3, Insightful

    I was thinking about that myself. I'm no Luddite, but it seems to me the inexhorable march of advancement is fast outstripping any hope of catching up with social and cultural adaptation. Stuff like this makes me think "Why would anyone (legitimate) do this? Just to see if they could?" It seems like a stupid justification.

    But then, isn't it stupendously better for this type of danger to show up in an academic paper, for all to see and think about how to counter, rather than spooks, foreign spooks, or some black hat with an attitude being able to use it surreptitiously for a long, long time because nobody else thought about it or publicized it?

    --
    All the techniques ever used to make men moral have been themselves thoroughly immoral... (Nietzsche)
  21. Interesting theory, but how likely in practice by bhmit1 · · Score: 4, Insightful

    SSH already went through the debate of timing style attacks and came out fine: http://www.ssh.org/company/newsroom/article/204/. Additionally, web forms aren't transmitted until you hit submit. So you need some interractive session to monitor to detect something like this. The article mentions telnet, which, if you're going to sniff to detect packet timing, you might as well watch the packets themselves. When you get into something that is encrypted and interractive, wouldn't there be enough random jitter from the encrypting and other data, like mouse position updates when you have remote GUI's, to make this very difficult without creating so much jitter to be obvious to the user that the keyboard is screwed up?

    Implementation wise, the article lacked detail, so it's time to guess what's involved. You can't simply add a fixed number of ms to each key. What you need to do is have a timer that you are always offsetting from. Otherwise, the time that the user takes to type a key would be added on to the keystroke jitter, making it useless. Say you only watch 90 keys, giving you up to 90X, where X is some measurable time. The timer would also need to be 90X, meaning that you really have a maximum possible delay of 180X. With a CPU context switch (this is an interactive user), encryption processing, and physical network delays, I'm guessing that X would have to be several ms to be detectable. That would make the maximum time, even with only a 3ms X, over a half second in the worst case, which a user will certainly notice. Of course you can reduce the number of keys that you monitor, I picked 90 because it made the math easy and eliminated the F1-F12 keys. But anything over a couple 1/10s of a second will be noticable.

  22. password exposed via timing. by Kaenneth · · Score: 5, Interesting

    I recall a story of someone who determined a co-workers password by listening to the timing of her keypresses.

    "mickeymouse" m i c k e y mou s e

  23. Re:Cool, where can I get the source? by Secrity · · Score: 2, Interesting

    "I always thought it was easier to just torture somebody for the password? "

    I thought that it was easier and more reliable to just bribe somebody who has hte password. There was an article a while back that indicated that some people will divulge passwords for something as trivial as a latte' or chocolate -- the cost goes up from there.

  24. Re:Look! Someone gave me a new keyboard! by inKubus · · Score: 4, Funny

    That's why I keep a liberal supply of dandruff and chicken grease on my keyboard at all times. Even if the boffins manage to make an identical keyboard (with the windows keys ripped out, no less), they could never recreate the back-alley ambiance.

    --
    Cool! Amazing Toys.
  25. Nagle's algorhitm by vadim_t · · Score: 5, Informative

    Just enable (as it's usually disabled for things like SSH) Nagle's algorhitm, and it should destroy most of the timing information.

    For those who don't know, it's a TCP optimization that buffers data until there's a packet worth of data, or an ACK is received for the last packet sent, so that writing 1 byte of data into a socket doesn't immediately result in sending a packet with 40 bytes of overhead, and 1 byte of data.

  26. bullshit detector says hardly needed by frovingslosh · · Score: 4, Insightful
    Sure, you could add your own jitter, but it's not really needed. My bullshit detector went off right as I hit the text reading "adding imperceptible delays to keypresses as people". Come on! People add their own imperceptable delays to keypresses, particularly when typing passwords. Other system and network activity adds timing discrepencies to packets that would mask this "jitter". And in most cases when a password is sent, it is sent in a packet, not as individual packets for each character, meaning that the keyboard can't really influence the between letter spacing at all. Plus the keyboard has no comprehension of what is going on upon the screen, it has no way to know if what is being typed is a password or not, so there is no way it can detect and specially encode passwords, it would have to somehow influence the system in a way that allowed it to encode every single keypress as this magic keypress jitter. Because of other packet "jitter" already affecting traffic, I don't believe it could even work if robots were doing all the typing, but certainly not for humanas.

    Sure, there is valid reason to be concerned about spying hardware and software being built into computers.But unfortunatey bullshit hype like this just clouds the issue, when it is finally discredited it will just make it that much harder for people who are warning of valid concerns.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:bullshit detector says hardly needed by frovingslosh · · Score: 4, Insightful

      That makes no sense at all. Remember, and this is something that you seem to be completely ignoring, This is a keyboard, it sends keystrokes to the motherboard, it does not send packets to the Internet! Packets would be sent by some software that was in the computer after the keystrokes are reeceived. SO, ok, lets pretend that the keyboard can indeed slightly delay packets and know how long ago in milliseconds it was since the last key press, even if it was several minutes. Then yes, the keyboard could convey one bit of data with each keypress. But it can only convey it as far as the local computer that is receiving keystrokes. If that computer is not in on the game and is not running special software to detect the delays, then this whole thing is meaningless! And if it is compromised, then there are far simpler ways to capture and send passwords than to have a hardware hack keyboard that uses this bogus "jitter" nonsense.

      --
      I'm an American. I love this country and the freedoms that we used to have.
  27. Re:Could you get around this...Tech Fight. by ender_ · · Score: 2, Informative

    If the noise is of the same or greater order of magnitude then the signal. Yes, you can foil the process.

    Ever heard of a SNR?

    Ender

    --
    Bzzt Whir Click
  28. Re:What about user -induced lag? by adrianmonk · · Score: 3, Insightful
    I RTFA'd and I don't see how this would work with regular, semi-random typing -ie. I may 'sit on a character' while I space out or think about what to type next -or try to find the next key....

    There may be several schemes that would work, but here's the simplest one I can think of off the top of my head. Basically, you figure out what the maximum delay that can go unnoticed is, and you buffer keystrokes for that length of time. For example, if you determine that nobody ever notices when a keystroke is delayed 100 ms, you buffer keystrokes for that long.

    Now, if during that period of time you get multiple keystrokes, then you spit the keystrokes out of your queue with a predefined timing. If you want to send a 0, you might send the first keystroke out, then wait 50 ms, then send the second. If you want to send out a 1, then you might wait 75 ms between the keystrokes. So basically, you get opportunistic about it. Only if you have two keystrokes in a short period of time do you try to encode data in the timing.

    But of course there will be times when the user is typing slowly, and you don't get 2 or more keystrokes in a short interval, but you still have to send them out. The solution to that problem is easy: if you aren't trying to send a 0 or 1, just make sure you never send out any keystroke sooner than 100 ms after you sent the last one. Now you have a system where (at the remote end), if you see two packets arrive about 50 ms apart, that's a 0, and if you have two arrive about 75 ms apart, that's a 1, and if you have two arrive about 100 ms or more apart, that's no data (a no-op).

    And of course you want all kinds of redundancy built in because the network and the TCP/IP stack and the operating system will add lots of noise and corruption to your covert data stream, so you'll have to piece it back together. But that's an easy enough problem provided you don't mind reducing the bandwidth even further than what it is already is.

    Oh, speaking of bandwidth, you can probably encode more than one bit per keystroke pretty easily. Coincidentally enough, today I was observing network latency between two sites about 1000 miles apart, and I noticed that even though the latency was usually around 70 ms, the standard deviation seemed to be much lower, down around 2 or 3 ms. So in this case, depending on how much you want to delay things (you can't delay things so much that an average typist can outpace you!), you could use one of a set of several different delays between keystrokes. You might encode 3 bits by doing intervals spaced 5 ms apart. So, 50 ms for 000, 55 ms for 001, 60 ms for 010, 65 ms for 011, ..., 85 ms for 111, and 110 ms for no-op. (Things get complicated, but I'm assuming you'd want a bigger gap between no-op and the others since no-op will occur very frequently.)

  29. Re:Cool, where can I get the source? by Architect_sasyr · · Score: 2, Interesting

    On a more serious note though..
    I always thought it was easier to just torture somebody for the password?

    Who needs torture when there is vodka? Also, if they're like me you have two passwords, one overwrites the hard disk ;)

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
  30. Here's what scares me about this... by spagetti_code · · Score: 2, Insightful

    The government of the USA has already shown a proclivity towards watching its citizens. To be fair, this phenomenon isn't limited to the USA, but Bush has taken it to new levels.

    We now know that the government secretly had printer manufacturers embed hidden ID codes on printer's output, thereby removing any possibility of anonymous document creation.

    I wouldn't be surprised if some enterprising Bush-ite didn't see the possibility here of having *every* keyboard manufactured with some form of this technology embedded. Imagine if the government could tell what you were typing just by listening to your traffic.

    Think of the terrorists we could stop! Think of the children!

  31. Yes, you can get around this by sacrilicious · · Score: 4, Informative
    No, you can't get around this, because if it's built into the keyboard, then it's a hardware thing, and any software based solution will be insufficient.

    Incorrect. It's true that there'd be no way to prevent the keyboard from collecting data, but one could certainly prevent the successful transmission of the collected data. The way the data would be encoded would be via the timing of the packets sent in response to keystrokes; that logic path most definitely involves software levels, specifically (in the example given of a remote terminal session) the choice of the software to send a packet once per keystroke. The proposed solution of introducing jitter to the packets is indeed a solution, and a simple straightforward one at that.

    --
    - First they ignore you, then they laugh at you, then ???, then profit.
    1. Re:Yes, you can get around this by Reziac · · Score: 2, Insightful

      I'm wonder if Treach^H^H^H^H^H Trusted Computing (the TC chip in the computer itself) might *prevent* a software solution from interfering with a compromised keyboard...???

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  32. Should I worry about my HP Jitterbug Keyboard by rodion_schlatzski · · Score: 3, Funny
    A power supply problem zapped my HP Keyboard and the replacement arrived about 10 minutes ago. A lable on the outside reads:

    5069-7601 TASC

    -barcode-

    ASSY-KBD JITTERBUG PS/2 US/PAPE

    --- I guess it is time for HP to rename this sucker!

  33. Re:Scary! by Physics+Nobody · · Score: 2, Funny

    See, that's why I only use Model Ms: Smashing the keyboard on the monitor breaks the monitor, not the keyboard. In retrospect that may not be a good thing...

    --

    Physics is good

  34. The...William...Shatner...Keyboard. by darnok · · Score: 3, Funny

    Great...so...now...everything...I...type...will... look...like...William...Shatner...speaking...

    Each...word...gets...it's...own...sentence

    At least stuff I type will appear more dramatic

  35. Pah! by stunt_penguin · · Score: 2, Funny

    A keyboard that phones home? I want a phone that lets me type at 120wpm. Now that would be impressive ^^

    --
    When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
  36. Finally... by chicago_scott · · Score: 4, Funny

    This sounds like a good way for citizens to track politicians' activity. As citizens we need better ways to serruptitiously monitor our public servants.

    Smaller cameras would be better too.

  37. Re:Scary! by Bombcar · · Score: 4, Funny

    So if you had 40 USB keyboards plugged into one machine, and used a different one to type each character of the password, you wouldn't have a problem, correct?

    --
    Fellowship 9/11
  38. bullshit by nazsco · · Score: 2, Insightful

    let's assume microsseconds delays in packets to transfer data. riiiiiiiiight...

    they should market it as a replacement for tcp/ip for real time applications rather then a scriptkiddie wet dream's keyloger.

  39. Lag from the JitterBug or from network latency? by frdmfghtr · · Score: 3, Interesting
    FTA:

    In applications such as telnet and remote desktop, a packet is sent every time a user presses a key. By causing calculated "jitters" in keyboard input while such a program is running, a JitterBug could slightly delay data sent over the network. Certain amounts of delay could represent a one or a zero in each packet that is linked to keyboard use, allowing an attacker to send secret information in otherwise innocuous data without modifying software or initiating any new connections.


    How much jitter has to be introduced into the packet stream to be detected as inserted delay and not network latency?

    Pinging my own wireless router:

    10 packets transmitted, 10 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 2.611/2.823/3.343/0.233 ms

    --- google.com ping statistics ---
    11 packets transmitted, 11 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 10.530/10.839/11.361/0.251 ms

    --- yahoo.com ping statistics ---
    10 packets transmitted, 10 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 61.703/65.211/68.176/2.781 ms

    Maybe the sample size isn't big enough, but how does one differentiate inserted delays from network latency? If the difference between the keystroke and the packet is the modulated data, how do you get this information to a recipient with to reference to when the keystroke was pressed? Maybe there's some fancy signal processing involved similar to spread spectrum, but that's never been a strong suit.

    (Asked by a network simpleton)
    --
    Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
  40. Don't be silly ... by b0r1s · · Score: 2, Funny

    Why would the US Government need to worry about this? It's not like most departments and branches buy all of their PC components manufacturered in China or anything...

    Oh, wait....

    --
    Mooniacs for iOS and Android
  41. It's 1AM, do you know where your keyboard is? by Kadin2048 · · Score: 5, Insightful

    Mod parent up. This was my immediate question as well, and I still haven't heard it answered.

    If you want to encode information into the delay between key-press packets, then you need to make the delay significantly longer (at least a few standard deviations) than the average difference between two keypress packets.

    People don't type at exactly the same rate, so if the delay in between keypresses varies (I'm making up numbers here) between 100 and 150 ms, then you need to make the introduced delay greater than 50ms.

    Alternately, you could buffer all of the incoming keystrokes in the computer, and send them out at a constant rate (say exactly 100ms apart); then you'd only have to add a small delay to them in order to encode information. But unless the packets are being buffered and sent out in such an orderly fashion by the host system already, it seems like this kind of behavior could be easily picked up on, because it would cause a delay of at least a few keystrokes in an interactive system (if there's one packet per keystroke and you're queueing and buffering a few packets at a time). I'm sure there's probably some nice mathematical formula for the amount of transit time you'd add (from the time the key goes down to the time it's received by the host system) as a result of buffering out all the variation in the timing between packets ... I just can't think of it right now.

    Ultimately though, I don't see any defense against an attack like this. If someone can compromise your hardware, particularly your input devices, you're quite screwed. I've always seen it as an extension of the 'local console root' rule: if someone can get to the CPU, then they have root. I guess we've got to extend this to keyboards, mice, and monitors as well: if you don't know where everything that you pass unencrypted information through was last night, maybe you shouldn't be using it.

    Messing with the delay is only one of many ways that someone could sneak information out of an area -- it's neat, technically, but there are a lot of low-tech ways that would work just as well (including the audio recorder trick from a while back, where you can determine a typed password by listening to a recording of the keypresses).

    If you only wanted a system that would work once, you could build a more powerful keystroke-recorder into a keyboard. Instead of having it mess with the delay, make it wake up the computer in the middle of the night (logging on -- it's not hard to grab your password on a Windows box, since it's nicely defined as the first thing you type after pressing Ctrl-Alt-Del and before return), and then executing a macro that emailed a recording of everything that had been typed recently to a dead-drop.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:It's 1AM, do you know where your keyboard is? by Eivind · · Score: 2, Insightful
      That's not nessecarily true, it depends on the preciseness of your timing, and the aditionally introduced jitter that you cannot control.

      An example.

      Assume a user types a character on the average every 100ms.

      If you could time to the ms then you could encode 2 secret bits on each packet by delaying the packet by 0,1,2 or 3 ms

      Decoding the stream would be a simple matter of taking the sequence of delays and run mod4 on them.

      If noise made this impractical (i.e. single-ms timing is impossible) then you could do the same thing by adding 0, 10, 20 or 30 ms delay to every packet, using delay mod 10 for decoding.

      The delay you need to add is completely unrelated to the typing-speed of the user. It is related only to the accuracy with which you can cause and measure delay.

      If the user pressed a single key once an hour, you could *still* delay that packet by 0, 10, 20 or 30ms and thus transport 2 "hidden" bits. The only assumption being that you can cause and measure delay accurately enough that you can detect which of the 4 happened.

  42. Oh! No! My keyboard! by TristanGrimaux · · Score: 2, Funny

    And that's why my keyboard has an ethernet connector!

    Damn!

    --
    Donde Ser Geek No Duele
  43. The demise of the password on the horizon by ebvwfbw · · Score: 2, Insightful
    I used to be a nay sayer for doing away with passwords. However it seems clear that we will have to do away with them one day and rely on something we have (a device - USB drive, RSA secure-id, etc) rather than something we know (a password). Perhaps a combination of the two will eventually win out - something we have and know.

    Lost your device? Just answer what your dog's name is (Cujo) or what you wanted to be when you grew up (Convenience store attendant, just like Apu).