Slashdot Mirror
Compromising Wired Keyboards
Flavien writes "A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of the 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."
I won't type what I think about that...
This appears to be related to why TEMPEST attacks work on monitors.
Is this going to be another one of those hollow claims backed up by a viral video, like unlocking car doors with a tennis ball?
I might have to extend my tinfoil hat to some kind of head-mounted lead telephone box.
Hello? Is this thing on?
...why should I worry? I work for BoingBoing.
Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...
Especially considering that you can also detect what is shown on monitors (again, by detecting the electromagnetic radiation), and so on screen "keyboards" operated with a mouse become not so useful.
It's not clear from the article whether they have have the keyboard before hand to be able to record which key-press outputs what radiation, or if they can use this (and by that I mean one of the four) technique on any old keyboard, including ones they haven't seen before.
Anyway, this shouldn't be too surprising to anyone, electronics emit electromagnetic radiation, which can be captured.
I wank in the shower.
"like unlocking car doors with a tennis ball".
Its much easier with a cricket ball. Just use it to break the window.
There are 10 kinds of people in the world... those who understand binary and those who don't.
all i did was point a hidden camera at the keyboard.
portfolio
Simple, next gen of high sec keyboards will have metal mesh in the cable and plug, and also either be made of metal or have metal casing.
Oh no, we will have to learn to type code by tapping on a single key and read the results in the flickering of the hard drive light.
When they can manage the same trick in a noisy office environment with dozens of keyboards and monitors in use, then I'll worry.
Now all you have to do is talk your target into removing all possible sources of interfering EM from their computer (like the power supply, the screen, etc.) and to pause between each character that they type.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
These videos indicate that the powersupply interferes with the signal, so they only test on laptops running on battery. Does this mean that it doesn't work on desktop computers?
Couldn't this easily be mitigated with an encrypted keyboard link?
I like this method:
Setup a microphone (directional is preferred) and direct it at the keyboard you would like to monitor. Record the sound of the person typing their password a few times. Then send them an email and a response request. Record that sound and use it to determine the sound of each key. Because of wear, finger position, and angle of attack, each keypress sounds a little different than the rest.
Now, thanks to the email responses, you have a sample of what the keys should sound like.
Of course, a simple video camera is often much easier.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
Instead of trying to put 72 hot keys, along with a volume knob, EQ, and 17 LEDs emitting a dizzying array of light colors, how about just a keyboard?
Without all the extra crap, there just may be a chance to reduce the overall voltage required to drive a keyboard, and therefore reduce the eminations. Could go hand in hand with all this talk of going "Green" with PCs.
Of course, that will never happen, because we're far too fascinated with keyboard bling. After all, feature-creep isn't a problem, it's a lifestyle, right?
I saw this demonstrated about 10 years ago while working for a military contractor during a demonstration to increase awareness of security risks. They were able to capture video and keyboard data through a wall adjacent to the PC being monitored. (I can't elaborate on who 'they' were...but I'm sure astute readers can guess correctly.)
If your only tool is a hammer, every problem becomes a nail.
This certainly doesn't surprise me, I've only taken apart one keyboard in my life that appeared to be properly shielded, something I wish was more popular. I actually managed to break a PS/2 port once through a static discharge that left my finger black, and this was back when USB keyboards were a really new thing.
Same with mice and a million USB peripherals, plastic isn't nearly enough, everything should have a proper faraday shield, yet even the most expensive stuff doesn't.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
I'll have to encrypt mentally now.
Check out my blog!
The developer of truecrypt (hard drive encryption software) has been made aware of these issues in the past and so far has refused to include any kind of graphical keyboard interface in the software. It is extremely frustrating when you have a problem like this staring you in the face and they refuse to deal with it.
Has anybody noticed that he types really slow? I believe it might not work correctly if many keys are pressed in a short period of time.
Its output is a stream of small stone tablets bearing glyphs.
As everyone should know, the IBM Model M is the One True Keyboard. Surely all of the steel plating inside that thing must be good for something! If all else fails, the relentless clicking while they listen to your bugged cube or house should drive them completely insane.
Even if it doesn't prevent snooping, you could still use the thing as a self-defense weapon when Mysterious Men From the Shadows come to capture you.
SirWired
What are the motivation posters on the wall on video #2? I mean, does anybody know if they are for real or the parody ones?
MI5 have had this for years. I mean at the range talked about in the article they can also get a good picture quality from your monitor too. This problem has been known about since the 1980s and is the reason why the security services use magnetic shielding either in an entire building or just in private rooms (such as those that exist in every British Embassy internationally).
EM leaks have no real solution at this stage except to shield like crazy. There is potential for some kind of white noise generator but different pieces of electronics would require one tuned to them and the levels required would make a blanket device expensive, or overly large.
I wouldn't worry about people listening in to your keyclicks at home just yet. Perhaps if you work a big corp and there is money on the line. Corporate espionage is big business arguably even bigger than legitimate government work.
If you watch the video he sets the keyboard.eavesdropper into a listening/polling state waiting for keypress information. From there it's filtered and decoded --fine. Now the part that seemed odd to me is it exits as soon as it finds the 'e' in 'trust no one', why?
If the eavesdropper is in a polling state it should continue looking for more keypresses, unless something there are some smoke and mirrors going on. Also, if you listen there's no termination sent --no keypresses heard on camera.
The question is, how realistic is it that anyone can really get anything useful doing this? In an office there are so many of us typing away that it would be a total jumble. If you lived in an apartment complex, its quite likely their would be enough external interference that even in the next apartment they couldnt pick anything up. That leaves my house, and a 20 meter radius puts you on my property, good luck setting up your equipment without me noticing you on my front lawn. It sounds neat but highly unlikely that it can be an actual problem.
I'm wondering if this is really an issue.... I mean come on, they used a damn HUGE antenna for the setup with the wall inbetween, always disconnected the psu and typed really carefully and slowly. It would be interesting to see how much you can still recover with a more realistic setup, like a faster typer, plugged in psus, some other electronic equipment in the room and an antenna that can be put in/ontop one of these neat little dark vans.
That'll keep 'em busy! (Or at least keep the /. crowd busy debating whether it would help or not.)
If your only tool is a hammer, every problem becomes a nail.
If I would wrap my keyboards cable with thin foil would that solve the problem?
Which other simple tricks could make it much more difficult to (try to) stop these type of attacks (to some level)?
This thing has an aluminium top (but a plastic back), would it be safer than a 100% plastic casing keyboard?
How about those new unibody MacBooks and MacBook Pros?
No, I didn't RTFA.
..when you operate the computer like a normal person? You know, powered on machine, typing at a normal rate..
Would it help if the keyboard was lined with oh I don't know...tinfoil perhaps? Or use a plastic with soft iron embedded into it? I mean I am just spit balling here, but this shouldn't be that hard to reduce emissions on.
Are we supposed to believe this on the grounds of this "proof"? There are countless ways to cheat, including:
* The program is just a fake.
* The laptop's wifi.
* Some kind of transmitter in the keyboard itself.
* Dude running into the other room and feeding the program the same data.
* Advanced voice recognition ("I am going to type blah").
* "decode" is the da vinci virus.
http://www.bigrat.co.uk/equipment/bigrat.html
Squirrel!
Seriously can the guy type faster than 3 words a minute? Can his decoding software only work up to a certain speed? I am betting most people enter there passwords in less than a second, not with second long pauses between each character.
Life moves pretty fast; if you don't stop and look around once in a while, you could miss it. -FB
The video looks fishy, how does the computer program know when to stop collecting keyboard input? The video shows someone going to the other keyboard and when coming back the program has quit.
And what about the electromagnetic interference of the whole computer running close to the antenna, and the keyboard of that computer?
Fishy
Opinions expressed above are mine, and not my employees'.
Until they come up with a way to compromise butterflies, the only thing they will pick up from from my keyboard is: C-x M-c M-butterfly
I bet it's the long cable that acts as an antenna? Though that doesn't explain how Laptop models are affected.
Any how...may be we could apply HDCP-like end-to-end encryption protocol down to the keyboard, or even to each physical key...Microsoft did an ASIC for the blue-ray mouse, could they make one for each keys too? I am thinking if The FBI might want to order thousands of them...
Why isn't my keyboard and monitor DRM-laden? I demand a rotating 1024 bit cipher on my keyboard!
WHERE OH WHERE IS THE RIAA TO PROTECT ME?!
I find it interesting that somehow the program knows when to shut down... Especially in the second video: Before the guy with the camera gets back, the program already has finished and is returned to the command line.
Were any of these attacks against a TEMPEST certified keyboard? If that's true, then it's *extremely* noteworthy. I suspect these were against traditional keyboards, in which case this finding is only mildly interesting. Many gov't contracts have been requiring TEMPEST compliant keyboards for a while, illustrating that this has been on the radar for a while.
Since the protocol is effectively just a low-speed digital signal... almost a square wave, the keyboard cable will radiate broad-spectrum noise around the 16 KHz band (A PS/2 keyboard clocks at around 10-16 Khz from a quick google lookup).
That frequency might be too low for a ferrite bead to stop but its worth a try anyway. The keyboard cable is going to be too short to act as an Antenna at that frequency but because it is a square wave there are going to be a lot of harmonics. And because the base frequency is so low it could very well be that the noise generated from the computer itself would not interfere so much. So a ferrite bead might actually work.
They could also be measuring HF generated by the keyboard processor or matrix. The keyboard matrix itself is being scanned continuously, probably in the high KHz or MHz range, and those *ARE* long wires running in a matrix. Hitting a key will shortcut portions of the scan and produce discernable frequency spikes. Since the keyboard is constantly scanning it would be possible to resample multiple times to kick down the noise floor before the user lets go of the key.
I don't know any easy way to protect against that short of wrapping the whole keyboard in tinfoil, or typing very quickly. A keyboard designer could simply go with a 4-layer board with power and ground planes on the outside, that would put the scanning traces in a faraday cage.
It could be that other effects are being measured as well. When you type there is always a reaction from the computer, such as burning cpu cycles to process the interrupt as well as a reaction from the application being typed into. I doubt those could be translated into actual key codes though.
-Matt
Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...
Would it be feasible and useful to shield only the keyboard case and wire? If it isn't useful by itself, could it be a necessary part of a bigger useful prevention measure?
Isn't it odd how the program knows ahead of time how many keys you are going to type, and conveniently exits after decoding exactly that many?
Sure - it *could* have an exit condition where it quits if it hasn't seen a keystroke in n seconds. But, on the second video, it doesn't time out while the camera goes to the other room - but it does time out while the camera comes back. And besides - who would create their program that way? Just have it decode anything received in an infinite loop - far easier to use.
Capturing emissions is one thing and only half the battle. An attacker would have valuable knowledge, but still requires a vector to use it. Since they are 1-20m away, physical access seems likely, but then they really didn't need to sniff KBs to break into a system, did they?
How about creating some 'emissions' ? Maybe even creating some when no one is looking? No IP stack to trace, no logs to reveal. Now that would be much more elegant.
11 different wired keyboard models bought between 2001 and 2008
I'm assuming my IBM Model M is safe, then...security through obscurity is your best friend.
Tm
Support TBI Research: http://www.raisinhope.org
I'm pretty sure my Model M is transmitting kilowatt-range signals but maybe the cast-iron chassis absorbs them...?
No sig today...
Does a computer need to know whether or not you are using a Dvorak layout or not or are the codes sent to the computer the same? Seems like if they have the same keys, then they could send the same codes, and therefore the physical layout of the buttons would be irrelevant. If this is the case, you wouldn't even need a replacement cipher. Seems to me that it would be like saying you need a replacement cipher for an ergonomic keyboard, but again, don't know if you need a special interpreter for a Dvork keyboard.
My parents just had their house with asbestos siding resided and the cost wasn't any more expensive than any other house. I believe what was done for theirs is just put the new siding over top of the existing siding with some foam board in between. The more expensive part would probably be finding aluminum siding... do they even make it anymore? Figure vinyl siding has all but eliminated aluminum.
No keystrokes, it auto fills PW's! And can be run from a USB flashdrive. Problem Solved.
use this : Phantom Keystroker
wire the +5 and gnd signal and put a long wire on the data+ pin
this should keep them busy for a while
All you need to do (apparently) is listen to the clicks:
http://yro.slashdot.org/article.pl?sid=04/05/13/0238204
Equine Mammals Are Considerably Smaller
I've spent the last month eradicating everything which transmits other than my mobiles. No more wireless keyboards & mice, bye bye WiFi - back to good old cable. Oh, and no more ethernet over power either. that was a temp measure to sort out a problem but I stopped that when I could plug in in the basement - whilst I live on the 3rd floor..
The main advantage so far is that everything just works. No WiFi collisions, no keyboards and mice to discover (and you can use the cable to find the mouse under a heap of paper :-), no piles of batteries to swap - nice.
Worth the effort..
Insert
Because the number of keys to decode is an argument to the program. It'll stop after the Nth key.
The reason for this is because the capturing process is so intensive (I assume they are grabbing the full 32MBytes/sec that the USRP is capable of) that they don't want to run the decoding in parallel, so they capture (then decode) a fixed number of keys.
I obviously hit my least creative time - hitting Submit too early. Caffeine! More!
Anyway, I'm not too worried about this new threat yet - at present it involves a lot of specialist kit and there are still enough people downloading spyware to make this too much effort for little return.
I do, however, wonder what anyone at home can actually do. Would a cable ferrite dampen enough emissions or does one need to go into full Tempest mode?
Insert
and to be honest, who apart from ham fisted retards types like the guy in the video did.
Would that increase the signal strength emitted from the keyboard allowing it to be snooped easier?
If he typed in a normal fashion would the signal be any less detectable?
Seriously, get back to me when you can do this accurately without removing power sources and other standard bits of equipment which add to the background EMI. It is one thing to detect keystrokes from a keyboard hooked up to a laptop using a battery (IE the most ideal conditions for producing the result you want), and another to detect those keystrokes with a tower and requisite LCD(s)/CRT(s) before it (dealing with real life factors and interference). Not saying it would be impossible to do, but this kind of comes off as fear mongering to me. "Look what we can do under the perfect conditions!" As if perfect conditions are found everywhere. I'm also curious about the slow and heavy keystrokes used to type things out. Who types out at 1 character per 2 seconds, with the stroke of a hammer? I'm not a touch typist, and I type between 50 and 60 wpm. Could that program fetch my keystrokes amidst the noise of my 2 CRTs and my PC?
5 minutes of bash scripting and i have exact replicas of the BS scripts they ran, including matching the timing of the first one that shows "trust no one". What is scary is that there seem to be many that actually thought this was a real demo. Two different bash scripts, both have different "captured text", and oddly both have the same 1250000 points acquired from source 'CH2'. Well at least they got their 15 minutes of fame.
In 1994, I worked for a company called 'Keycorp' who made keyboards for banks and other POS equipment.
Among their products were the full-size K32S and the smaller K34S. These were secure keyboards which continually pulsed the keyswitch matrix in a random way and continually communicated with the host PC in an encrypted way. It wasn't possible to trigger on a keystoke because you couldn't tell them apart from the random noise.
The point is that even in 1994, people knew that keyboards could be tapped or wirelessly snooped. It's a shame that you can't buy those keyboards - they had real keyswitches, too!
I notice the decoder program exited by itself. How did it know when to exit?
I think it's a rigged demo to yank people's chains.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
What I use at our home office is a token. I just press a little button on it and I use the password (which is good for about 30 seconds) that pops up on the screen. Granted, i connect to work through a vpn, but having the token makes for a new password every time I log in.
Of course there are other passwords that are static, but does anyone know whether this would be a better solution, having one-time-use passwords more often? Probably much more expensinve on a number of levels.
-