Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compromising Wired Keyboards

Posted by CmdrTaco on from the not-a-lot-of-substance-here dept.

Flavien writes "A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of the 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."

55 of 277 comments (clear)

  1. No comment.. by Anonymous Coward · · Score: 5, Funny

    I won't type what I think about that...

    1. Re:No comment.. by walt-sjc · · Score: 2, Funny

      Great - now I have to tinfoil my house as well as my head!

  2. TEMPEST by michaelhood · · Score: 5, Informative

    This appears to be related to why TEMPEST attacks work on monitors.

    1. Re:TEMPEST by CRCulver · · Score: 4, Insightful

      Indeed. Already a decade ago I was hearing people claim that the best way to enter passphrases and the like would be an on-screen keyboard whose keyboard map changes after each letter is input, all ideally displayed with a TEMPEST-resistant font. Even back then people knew anything wired was snoopable.

    2. Re:TEMPEST by __aajxax2722 · · Score: 5, Interesting

      I agree. I don't see the big "News Flash" on this. This was well known back in the mid 80's when I fixed computers for the military. They had to be Tempest certified before and after the fixes. It was common knowledge that EMF emissions would be able to be picked up and recorded some distance away from the host computer.

    3. Re:TEMPEST by Hoplite3 · · Score: 3, Funny

      The TEMPEST attack is nothing compared to the TEMPEST 2000 attack. Pew pew pew!

      --
      Use the Firehose to mod down Second Life stories!
    4. Re:TEMPEST by FiveDozenWhales · · Score: 3, Interesting

      Perhaps something like The Optimus Tactus would be ideal?

    5. Re:TEMPEST by IceCreamGuy · · Score: 5, Insightful

      I don't see the big "News Flash" on this.

      I think the big news flash on this is that they actually performed four different, real attacks on real, physical keyboards. Theory is one thing, someone actually saying "hey, we can really do this on the cheap now to 11 different keyboards sold at your local Best Buy; here's how..." is another. I don't think it's unreasonable to consider that "news for nerds."

    6. Re:TEMPEST by anagama · · Score: 2, Interesting

      How about using Xmodmap -- I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen (which could be a problem I suppose), then you poke out your password, and then revert to the usual layout.

      --
      What changed under Obama? Nothing Good
    7. Re:TEMPEST by ATMD · · Score: 4, Funny

      Oh great, now you've given them the idea.

      One goatse was bad enough :(

      --
      Nobody else has this sig.
    8. Re:TEMPEST by lbgator · · Score: 4, Interesting

      ...I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen...

      INGdirect does this with their log in. Users have a numeric password, they can enter it by:
      -using the mouse to click the number pad displayed on the screen, or
      -typing the letters that are randomly assigned to the numbers on the screen

    9. Re:TEMPEST by VorpalRodent · · Score: 3, Funny

      Not a virus...a security system. No password, just hit the button hidden in the one place that no one wants to go.

      On second thought...I need to go wash my mind out with bleach now.

      --
      Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
    10. Re:TEMPEST by Jay+L · · Score: 5, Funny

      I think the big news flash on this is that they actually performed four different, real attacks on real, physical keyboards.

      When the first mass-transit-quality teleporter is installed in a major city, there will be a commenter on Slashdot, sneering at it: "This isn't news. They've been doing that at the quantum level for years."

    11. Re:TEMPEST by ORBAT · · Score: 2, Funny

      "If you gaze too long into the abyss, the abyss will gaze into you"

  3. Dubious claim by Drakkenmensch · · Score: 5, Funny

    Is this going to be another one of those hollow claims backed up by a viral video, like unlocking car doors with a tennis ball?

  4. Hmm... by pzs · · Score: 3, Funny

    I might have to extend my tinfoil hat to some kind of head-mounted lead telephone box.

    1. Re:Hmm... by Tetsujin · · Score: 3, Funny

      Chief, don't you think we should use the Cone of Silence?

      --
      Bow-ties are cool.
  5. If it only works on Wired keyboards... by The+Ultimate+Fartkno · · Score: 4, Funny

    ...why should I worry? I work for BoingBoing.

  6. Time for a Faraday cage? by apathy+maybe · · Score: 5, Interesting

    To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

    Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

    Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...

    Especially considering that you can also detect what is shown on monitors (again, by detecting the electromagnetic radiation), and so on screen "keyboards" operated with a mouse become not so useful.

    It's not clear from the article whether they have have the keyboard before hand to be able to record which key-press outputs what radiation, or if they can use this (and by that I mean one of the four) technique on any old keyboard, including ones they haven't seen before.

    Anyway, this shouldn't be too surprising to anyone, electronics emit electromagnetic radiation, which can be captured.

    --
    I wank in the shower.
    1. Re:Time for a Faraday cage? by bhima · · Score: 4, Insightful

      Being the only house on your block not radiating all sorts of data sounds like an excellent reason for the DHS to perform a no-knock raid with a legions of SWAT teams and an armored troop carrier or two.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
    2. Re:Time for a Faraday cage? by Anonymous Coward · · Score: 5, Funny

      Which is why you move to Pennsylvania and live among the Amish. Also, your crazy hacker beard will look a little less crazy.

    3. Re:Time for a Faraday cage? by UnknowingFool · · Score: 4, Funny

      The solution to this is simple. Have at least one computer outside the cage. If you have a teenage, even better. Cause nothing would drive those eavedroppers crazy than listening in on teenage conversations:

      No way!
      4sho!
      LOLZ
      idc. let's go w bff jill

      Of course, this might be one of those cases where the solution is worse than the problem.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    4. Re:Time for a Faraday cage? by d3ac0n · · Score: 4, Interesting

      Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...

      This is actually easier to do than you might imagine. My old house was essentially a Faraday Cage. You could NOT get a wireless signal more then 1 foot outside it. Why? Aluminum Siding. Add in aluminum powder tinted windows (triple layer UV and thermal glass) and the only leakage was straight up through the roof.

      So you could get an OK cell-phone signal on the second floor (2 bars), but almost nothing on the first floor. Walk out the front door, 4 bars. Same with WiFi. Full strength "g" signal anywhere inside, walk outside and the connection drops.

      My current home has asbestos siding (bleah!) that does nothing to attenuate the Wifi signal, so I actually had to encrypt my wireless for the first time ever when I moved. I can pick up my wireless signal about 2 doors away now, and it's the same wireless device I used in my old house, located in a roughly similar spot (close to the center of the house, in the basement, on a shelf near the basement rafters)

      If I could I'd re-side in Aluminum again, but the costs to re-side an asbestos tile sided house are astronomical, and many places simply won't do it.

      Regardless, if you really want to attenuate any wireless signals going into or out of your home, slap on some aluminum siding. You'll kill those pesky wireless signals, AND make your house look really nice at the same time.

      --
      Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
    5. Re:Time for a Faraday cage? by Aphoxema · · Score: 2, Funny

      Oh, wow, I don't know how it happened but you're both right, and I'm not even in a cube!

      --
      "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
    6. Re:Time for a Faraday cage? by Aphoxema · · Score: 2, Informative

      The + on the 120VAC is extraneous.

      --
      "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
    7. Re:Time for a Faraday cage? by ddusza · · Score: 2, Funny

      Ya, we has them soybeans too...

      --
      Don't fear the penguins
  7. Easier way to open the car... by MindKata · · Score: 5, Funny

    "like unlocking car doors with a tennis ball".

    Its much easier with a cricket ball. Just use it to break the window.

    --
    There are 10 kinds of people in the world... those who understand binary and those who don't.
    1. Re:Easier way to open the car... by nacturation · · Score: 5, Funny

      Its much easier with a cricket ball. Just use it to break the window.

      That may be how the Brits do it, but using a bowling ball generally meets with smashing success.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:Easier way to open the car... by ddusza · · Score: 4, Funny

      No wonder my car is always unlocked when I get out of the tennis club....

      --
      Don't fear the penguins
    3. Re:Easier way to open the car... by HTH+NE1 · · Score: 4, Funny

      Obviously, you'll have to turn the car upside-down if you're going to use a bowling ball. Some people would find that inconvenient.

      Canadians seem to find it easy enough: they use curling stones. Maybe it's easier to flip a car on ice?

      --
      Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  8. Cryptonomicomics by argent · · Score: 4, Insightful

    Oh no, we will have to learn to type code by tapping on a single key and read the results in the flickering of the hard drive light.

    When they can manage the same trick in a noisy office environment with dozens of keyboards and monitors in use, then I'll worry.

    1. Re:Cryptonomicomics by Sockatume · · Score: 2, Interesting

      On that subject, I recall that certain brands of modem lit the activity indicator by flashing it on for a zero and off for a one. The LED was quick enough to allow an attacker to read off all the data from across the room.

      --
      No kidding!!! What do you say at this point?
    2. Re:Cryptonomicomics by argent · · Score: 5, Insightful

      Most modems back in the '80s just ran either RD, TD, or (RD|TD) through the LED. It was cheap and easy and gave you a good activity signal. Nobody cared about people sniffing the data through the LED, and really hardly anyone is ever going to be in a situation where they're even potentially exposed. And for virtually all the rest, this is hardly the low hanging fruit... if you can get close enough to read the LED, you're close enough to see what the target is doing any number of easier ways.

    3. Re:Cryptonomicomics by mikael · · Score: 2, Funny

      Or you could always get a second keyboard and a monkey. Combined together, they should generate enough random data to disguise what you are typing.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  9. laptops only? by ikirudennis · · Score: 3, Insightful

    These videos indicate that the powersupply interferes with the signal, so they only test on laptops running on battery. Does this mean that it doesn't work on desktop computers?

    1. Re:laptops only? by tsvk · · Score: 4, Informative

      I understood that the disconnecting of the charger was because of that the "victim" laptop computer and the "attacker" desktop computer were connected to the same electrical mains network of the building.

      By disconnecting the laptop charger it was proven that the keyboard signal was truly intercepted from over-the-air electromagnetic radiation, as the laptop was "independent" and not connected to anything. There was not any chance that the signal could have leaked or transmitted any other way.

    2. Re:laptops only? by mollymoo · · Score: 2, Informative

      These videos indicate that the powersupply interferes with the signal, so they only test on laptops running on battery. Does this mean that it doesn't work on desktop computers?

      I think they only removed the power supply and monitor because sniffing monitor and power supply emissions are known attacks. They wanted to demonstrate that it really was the keyboard they were sniffing. I guess we'll have to wait for the paper to see how well it works when the other emissions you get from a complete system are present.

      --
      Chernobyl 'not a wildlife haven' - BBC News
  10. Features win over Security (again). by geekmux · · Score: 2, Insightful

    Instead of trying to put 72 hot keys, along with a volume knob, EQ, and 17 LEDs emitting a dizzying array of light colors, how about just a keyboard?

    Without all the extra crap, there just may be a chance to reduce the overall voltage required to drive a keyboard, and therefore reduce the eminations. Could go hand in hand with all this talk of going "Green" with PCs.

    Of course, that will never happen, because we're far too fascinated with keyboard bling. After all, feature-creep isn't a problem, it's a lifestyle, right?

    1. Re:Features win over Security (again). by Constantine+XVI · · Score: 2, Interesting

      On the other hand, all the extra blinkenlights would create more interference, reducing the effectiveness of this attack.

      --
      "I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
  11. Nothing new by thered2001 · · Score: 5, Interesting

    I saw this demonstrated about 10 years ago while working for a military contractor during a demonstration to increase awareness of security risks. They were able to capture video and keyboard data through a wall adjacent to the PC being monitored. (I can't elaborate on who 'they' were...but I'm sure astute readers can guess correctly.)

    --

    If your only tool is a hammer, every problem becomes a nail.

    1. Re:Nothing new by Constantine+XVI · · Score: 5, Informative

      It's called van Eck phreaking, and it's been applied to monitors for a while now, but no-one's really talked about sniffing from the keyboard.

      --
      "I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
  12. Speed by asCii88 · · Score: 2, Interesting

    Has anybody noticed that he types really slow? I believe it might not work correctly if many keys are pressed in a short period of time.

  13. But did they test with a Model M? by sirwired · · Score: 4, Funny

    As everyone should know, the IBM Model M is the One True Keyboard. Surely all of the steel plating inside that thing must be good for something! If all else fails, the relentless clicking while they listen to your bugged cube or house should drive them completely insane.

    Even if it doesn't prevent snooping, you could still use the thing as a self-defense weapon when Mysterious Men From the Shadows come to capture you.

    SirWired

    1. Re:But did they test with a Model M? by thered2001 · · Score: 5, Funny

      I'm not so sure...I would expect that the Model M probably produces a spark-gap kind of effect which can be picked up on AM radios a block away.

      --

      If your only tool is a hammer, every problem becomes a nail.

  14. MI5 & Intelligence Agencies by Manip · · Score: 2, Interesting

    MI5 have had this for years. I mean at the range talked about in the article they can also get a good picture quality from your monitor too. This problem has been known about since the 1980s and is the reason why the security services use magnetic shielding either in an entire building or just in private rooms (such as those that exist in every British Embassy internationally).

    EM leaks have no real solution at this stage except to shield like crazy. There is potential for some kind of white noise generator but different pieces of electronics would require one tuned to them and the levels required would make a blanket device expensive, or overly large.

    I wouldn't worry about people listening in to your keyclicks at home just yet. Perhaps if you work a big corp and there is money on the line. Corporate espionage is big business arguably even bigger than legitimate government work.

    1. Re:MI5 & Intelligence Agencies by Yvanhoe · · Score: 2, Interesting

      CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    2. Re:MI5 & Intelligence Agencies by Anonymous Coward · · Score: 3, Informative

      CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it

      http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf

  15. Shenanigans? by tdc_vga · · Score: 5, Interesting

    If you watch the video he sets the keyboard.eavesdropper into a listening/polling state waiting for keypress information. From there it's filtered and decoded --fine. Now the part that seemed odd to me is it exits as soon as it finds the 'e' in 'trust no one', why?

    If the eavesdropper is in a polling state it should continue looking for more keypresses, unless something there are some smoke and mirrors going on. Also, if you listen there's no termination sent --no keypresses heard on camera.

    1. Re:Shenanigans? by Seth024 · · Score: 2, Insightful

      It was probably set to stop listening after a few seconds to make the demonstration easier.

  16. Does it work.. by inotocracy · · Score: 2, Interesting

    ..when you operate the computer like a normal person? You know, powered on machine, typing at a normal rate..

  17. Re:Encryption by fprintf · · Score: 2, Funny

    Holy smokes. Either a coincidence or you have been snooping my network, but that is exactly the beginning of my AES key...

    --
    This post brought to you by your friendly neighborhood MBA.
  18. Re:Up to 20 meters? by fprintf · · Score: 2, Interesting

    Think of this as a proof of concept, with additional range yet to come. To you it might not be a big deal, but to others (e.g. the tinfoil hat crowd) it is likely a very small distance in time between the current 20 meter range and a 100 yards or more. And yet to others still, it is of concern now, for example apartment blocks, condos or dormitories where you may be less than 20 meters away from several other residents.

    --
    This post brought to you by your friendly neighborhood MBA.
  19. Re:Maybe time for a DVORAK keyboard by rhsanborn · · Score: 2, Insightful

    It shouldn't keep them busy for long. I haven't been able to get to the description yet, but I assume a Dvorak layout, or any other layout for that matter would look like a simple replacement cipher and wouldn't take long to crack.

  20. Strange program.... by sunderland56 · · Score: 2

    Isn't it odd how the program knows ahead of time how many keys you are going to type, and conveniently exits after decoding exactly that many?

    Sure - it *could* have an exit condition where it quits if it hasn't seen a keystroke in n seconds. But, on the second video, it doesn't time out while the camera goes to the other room - but it does time out while the camera comes back. And besides - who would create their program that way? Just have it decode anything received in an infinite loop - far easier to use.

  21. Re:Encryption by Aphoxema · · Score: 2, Funny

    I see you shelled out for the decoder monkey.

    --
    "Most people, I think, don't even know what a rootkit is, so why should they care about it?"