A way to sniff keystrokes from thin air
- 13 March, 2009 06:15
That PC keyboard you're using may be giving away your passwords. Researchers say they've discovered new ways to read what you're typing by aiming special wireless or laser equipment at the keyboard or by simply plugging into a nearby electrical socket.
Two separate research teams, from the Ecole Polytechnique Federale de Lausanne and security consultancy Inverse Path have taken a close look at the electromagnetic radiation that is generated every time a computer keyboard is tapped. It turns out that this keystroke radiation is actually pretty easy to capture and decode -- if you're a computer hacker-type, that is.
The Ecole Polytechnique team did its work over the air. Using an oscilloscope and an inexpensive wireless antenna, the team was able to pick up keystrokes from virtually any keyboard, including laptops. "We discovered four different ways to recover the keystroke of a keyboard," said Matin Vuagnoux, a Ph.D. student at the university. With the keyboard's cabling and nearby power wires acting as antennas for these electromagnetic signals, the researchers were able to read keystrokes with 95 percent accuracy over a distance of up to 20 meters (22 yards), in ideal conditions.
Laptops were the hardest to read, because the cable between the keyboard and the PC is so short, making for a tiny antenna. The researchers found a way to sniff USB keyboards, but older PS/2 keyboards, which have ground wires that connect right into the electric grid, were the best.
Even encrypted wireless keyboards are not safe from this attack. That's because they use a special algorithm to check which key is pressed, and when that algorithm is run, the keyboard gives off a distinctive electromagnetic signal, which can be picked up via wireless.
Vuagnoux and co-researcher Sylvain Pasini were able to pick up the signals using an antenna, an oscilloscope, an analog-digital converter and a PC, running some custom code they've created. Total cost: about US$5,000.
Spies have long known about the risk of data leaking via electromagnetic radiation for about 50 years now. After the U.S. National Security Agency found strange surveillance equipment in a U.S. Department of State communications room in 1962, the agency began looking into ways that radiation from communications equipment could be tapped. Some of this research, known as Tempest, has now been declassified, but public work in this area didn't kick off until the mid-1980s.
The idea of someone sniffing out keystrokes with a wireless antenna may seem ripped from the pages of a spy thriller, but criminals have already used sneaky techniques such as wireless video cameras placed near automated teller machines and Wi-Fi sniffers to steal credit-card numbers and passwords.
"If you are a company using highly confidential data, you have to know that the keyboard is a problem," Vuagnoux said.
If pulling keystrokes out of thin air isn't bad enough, another team has found a way to get the same kind of information out of a power socket. Using similar techniques, Inverse Path researchers Andrea Barisani and Daniele Bianco say they get accurate results, picking out keyboard signals from keyboard ground cables.
Their work only applies to older, PS/2 keyboards, but the data they get is "pretty good," they say. On these keyboards, "the data cable is so close to the ground cable, the emanations from the data cable leak onto the ground cable, which acts as an antenna," Barisani said.
That ground wire passes through the PC and into the building's power wires, where the researchers can pick up the signals using a computer, an oscilloscope and about $500 worth of other equipment. They believe they could pick up signals from a distance of up to 50 meters by simply plugging a keystroke-sniffing device into the power grid somewhere close to the PC they want to snoop on.
Because PS/2 keyboards emanate radiation at a standard, very specific frequency, the researchers can pick up a keyboard's signal even on a crowded power grid. They tried out their experiment at a local university's physics department, and even with particle detectors, oscilloscopes and other computers on the network were still able to get good data.
Barisani and Bianco will present their findings at the CanSecWest hacking conference next week in Vancouver. They will also show how they've been able to read keystrokes by pointing a laser microphone at reflective surfaces on a laptop, such as the screen. Using the laser's very precise measurements of the vibrations on the screen's surface caused by typing, they can figure out what is being typed.
Previously researchers had shown how the sound of keystrokes could be analyzed to figure out what is being typed, but using the laser microphone to pick up mechanical vibrations rather than sound makes this technique much more effective, Barisani said. "We extend the range because with the laser microphone, you can be hundreds of meters away," he said.
The Ecole Polytechnique team has submitted their research for peer review and hopes to publish it very soon.