Forgot your password?
typodupeerror
Input Devices Security

Compromising Wired Keyboards 277

Posted by CmdrTaco
from the not-a-lot-of-substance-here dept.
Flavien writes "A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of the 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."
This discussion has been archived. No new comments can be posted.

Compromising Wired Keyboards

Comments Filter:
  • by Anonymous Coward on Monday October 20, 2008 @09:33AM (#25439925)

    I won't type what I think about that...

  • TEMPEST (Score:5, Informative)

    by michaelhood (667393) on Monday October 20, 2008 @09:33AM (#25439929)

    This appears to be related to why TEMPEST [wikipedia.org] attacks work on monitors.

    • Re:TEMPEST (Score:5, Insightful)

      by CRCulver (715279) <crculver@christopherculver.com> on Monday October 20, 2008 @09:43AM (#25440013) Homepage
      Indeed. Already a decade ago I was hearing people claim that the best way to enter passphrases and the like would be an on-screen keyboard whose keyboard map changes after each letter is input, all ideally displayed with a TEMPEST-resistant font. Even back then people knew anything wired was snoopable.
      • Re: (Score:3, Interesting)

        Perhaps something like The Optimus Tactus [artlebedev.com] would be ideal?
      • Re: (Score:3, Interesting)

        by anagama (611277)
        How about using Xmodmap -- I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen (which could be a problem I suppose), then you poke out your password, and then revert to the usual layout.
        • by anagama (611277)
          On second thought -- is it the actual key being pressed that creates the signal, or the sequence of bits for a particular character being transmitted that creates the signal? I'm guessing its the latter in which case randomizing the keyboard is only annoying.
          • by anagama (611277)
            On third thought, the keyboard doesn't transmit a character -- it sends a signal which software interprets as a character. So randomizing Xmodmap should work.
        • Re:TEMPEST (Score:4, Interesting)

          by lbgator (1208974) <(james.olou) (at) (gmail.com)> on Monday October 20, 2008 @12:27PM (#25442341)

          ...I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen...

          INGdirect [ingdirect.com] does this with their log in. Users have a numeric password, they can enter it by:
          -using the mouse to click the number pad displayed on the screen, or
          -typing the letters that are randomly assigned to the numbers on the screen

      • by LWATCDR (28044)

        Kind of in the range of Duh isn't this. Tempest goes back into the 80s and maybe even past that.
        Seems very odd to me that this is news. I remember seeing an article on slashdot about reading modem leds, and all sorts of other methods.
        I guess you could wrap your keyboard cable and monitor cable in a conductor and ground it to help cut the effective range down. Or just not worry about it.

    • Re:TEMPEST (Score:5, Interesting)

      by Harley_Ghostrider (1226170) on Monday October 20, 2008 @10:01AM (#25440223)
      I agree. I don't see the big "News Flash" on this. This was well known back in the mid 80's when I fixed computers for the military. They had to be Tempest certified before and after the fixes. It was common knowledge that EMF emissions would be able to be picked up and recorded some distance away from the host computer.
      • Re:TEMPEST (Score:5, Insightful)

        by IceCreamGuy (904648) on Monday October 20, 2008 @10:58AM (#25440963) Homepage

        I don't see the big "News Flash" on this.

        I think the big news flash on this is that they actually performed four different, real attacks on real, physical keyboards. Theory is one thing, someone actually saying "hey, we can really do this on the cheap now to 11 different keyboards sold at your local Best Buy; here's how..." is another. I don't think it's unreasonable to consider that "news for nerds."

    • Re:TEMPEST (Score:4, Funny)

      by Hoplite3 (671379) on Monday October 20, 2008 @10:10AM (#25440331)

      The TEMPEST attack is nothing compared to the TEMPEST 2000 attack. Pew pew pew!

  • by Drakkenmensch (1255800) on Monday October 20, 2008 @09:34AM (#25439935)
    Is this going to be another one of those hollow claims backed up by a viral video, like unlocking car doors with a tennis ball?
  • Hmm... (Score:4, Funny)

    by pzs (857406) on Monday October 20, 2008 @09:35AM (#25439943)

    I might have to extend my tinfoil hat to some kind of head-mounted lead telephone box.

  • by The Ultimate Fartkno (756456) on Monday October 20, 2008 @09:37AM (#25439961)

    ...why should I worry? I work for BoingBoing.

  • by apathy maybe (922212) on Monday October 20, 2008 @09:38AM (#25439967) Homepage Journal

    To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

    Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

    Looks like a room or building size Faraday Cage [wikipedia.org] (a foil hat the size of your house!) might be the only defence...

    Especially considering that you can also detect what is shown on monitors (again, by detecting the electromagnetic radiation), and so on screen "keyboards" operated with a mouse become not so useful.

    It's not clear from the article whether they have have the keyboard before hand to be able to record which key-press outputs what radiation, or if they can use this (and by that I mean one of the four) technique on any old keyboard, including ones they haven't seen before.

    Anyway, this shouldn't be too surprising to anyone, electronics emit electromagnetic radiation, which can be captured.

    • by bhima (46039) * <Bhima.PandavaNO@SPAMgmail.com> on Monday October 20, 2008 @09:48AM (#25440069) Journal

      Being the only house on your block not radiating all sorts of data sounds like an excellent reason for the DHS to perform a no-knock raid with a legions of SWAT teams and an armored troop carrier or two.

      • by Anonymous Coward on Monday October 20, 2008 @09:57AM (#25440177)

        Which is why you move to Pennsylvania and live among the Amish. Also, your crazy hacker beard will look a little less crazy.

      • by Aphoxema (1088507) *

        I know you're not serious, or I hope you aren't, but how would they know the difference between you intentionally blocking transmissions and just not having stuff turned on?

        • by jimicus (737525)

          I know you're not serious, or I hope you aren't, but how would they know the difference between you intentionally blocking transmissions and just not having stuff turned on?

          Probably because it's not just computers that emit electromagnetic radiation. Even the mains wiring will emit a certain amount.

          • by Aphoxema (1088507) *

            Oh, yeah... I'll just need a monkey playing solitaire on a computer that isn't shielded all the time.

            Privacy is so damned expensive...

          • by Shakrai (717556)

            Probably because it's not just computers that emit electromagnetic radiation. Even the mains wiring will emit a certain amount.

            So what if you just shield the room where the PC is? They'd still see emissions from your TV and other appliances but none from the PC. I'd also say let em knock down my door. If they can't compromise my encryption key then seizing my PC isn't going to be very useful.....

            • by bhima (46039) *

              I'd say the existence of encryption is ample evidence to convince a judge to compel you to reveal your key.
              I'd also say that most enforcement agencies, which are going to participating in such a no-knock raid on a domestic terrorist, have some pretty damn interesting forensic tools designed to circumvent encryption (Preventing the computer from ever going to sleep is one common tactic employed).

              So if you are going to bother encrypting you had better brush up on forensics tools and prepared to go jail for no

              • by bhtooefr (649901)

                What about installing a microcontroller in the PSU that checks the AC line frequency, and if it's not within the range of what you get at your house (there's slight variances everywhere, after all,) send +120VAC straight into every DC line?

              • by Shakrai (717556)

                I'd say the existence of encryption is ample evidence to convince a judge to compel you to reveal your key.

                Umm, in the United States the case law [cnet.com] so far suggests that they can't compel you to turn over the key. Even if they did compel you to turn off the key what's to stop you from adopting the Bush Administration approach of "I can't recall"?

                I'd also say that most enforcement agencies, which are going to participating in such a no-knock raid on a domestic terrorist, have some pretty damn interesting forensic tools designed to circumvent encryption (Preventing the computer from ever going to sleep is one common tactic employed).

                Well, I'm a little confused as to why you felt the need to bring up the 'T' word, but regardless, how can it be assured that the PC is on when they raid the house? If the PC isn't on then what good does having access to it do? The big concern that I've read about is a co [wikipedia.org]

        • by bhima (46039) *

          What do you mean by "not serious"? Do you mean have I removed the Faraday cage that used to surround the inside of my home in fear that the Department of Homeland Security would send in great numbers of heavily armed men into my home? Or do you mean "not serious" in that I would have never put up a Faraday cage in first place? Or "Not Serious" in that I would be surprised if this reported in the news? Or "Not Serious" in that the DHS would not decide a US citizen did not fit a certain profile and then proc

      • by UnknowingFool (672806) on Monday October 20, 2008 @10:13AM (#25440361)

        The solution to this is simple. Have at least one computer outside the cage. If you have a teenage, even better. Cause nothing would drive those eavedroppers crazy than listening in on teenage conversations:

        No way!
        4sho!
        LOLZ
        idc. let's go w bff jill

        Of course, this might be one of those cases where the solution is worse than the problem.

        • by TheLink (130905)
          That's no problem, just use two AI bots chatting with each other instead of having a teenager.

          The snoops would have to monitor for a significant time before they'd realize the difference.

          If they're choosing to monitor your house for hours, they probably have something else on you.
        • Good luck to them if they try spying on my typing.

          "Backspace (bsp), bsp, hith, bsp, bsp, hi theree, bsp..."

      • by MBGMorden (803437)

        Yeah, because SWAT is totally raiding all those people without TV's and computers . . .

      • They need a reason to do that?

      • by umghhh (965931)

        or directly use napalm instead

    • by deander2 (26173) *

      damn... and i was hoping for security on my desk AND a working cell phone in my pocket. =P

    • Seriously can the guy type faster than 3 words a minute? Can his decoding software only work up to a certain speed? I am betting most people enter there passwords in less than a second, not with second long pauses between each character.

    • by d3ac0n (715594) on Monday October 20, 2008 @11:05AM (#25441071)

      Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...

      This is actually easier to do than you might imagine. My old house was essentially a Faraday Cage. You could NOT get a wireless signal more then 1 foot outside it. Why? Aluminum Siding. Add in aluminum powder tinted windows (triple layer UV and thermal glass) and the only leakage was straight up through the roof.

      So you could get an OK cell-phone signal on the second floor (2 bars), but almost nothing on the first floor. Walk out the front door, 4 bars. Same with WiFi. Full strength "g" signal anywhere inside, walk outside and the connection drops.

      My current home has asbestos siding (bleah!) that does nothing to attenuate the Wifi signal, so I actually had to encrypt my wireless for the first time ever when I moved. I can pick up my wireless signal about 2 doors away now, and it's the same wireless device I used in my old house, located in a roughly similar spot (close to the center of the house, in the basement, on a shelf near the basement rafters)

      If I could I'd re-side in Aluminum again, but the costs to re-side an asbestos tile sided house are astronomical, and many places simply won't do it.

      Regardless, if you really want to attenuate any wireless signals going into or out of your home, slap on some aluminum siding. You'll kill those pesky wireless signals, AND make your house look really nice at the same time.

      • by WillAdams (45638)

        Interesting.

        One thing I've been curious about is how effective just putting the wireless router in the basement would be --- my house is on quite a bit of a slope, but there'd still be ~10--15 feet of earth (and rocks, mostly sandstone, lots and lots of rocks) between the router and anywhere one could get a signal outside.

        William

  • Cryptonomicomics (Score:5, Insightful)

    by argent (18001) <peter@slashdot.2 ... m ['nga' in gap]> on Monday October 20, 2008 @09:53AM (#25440125) Homepage Journal

    Oh no, we will have to learn to type code by tapping on a single key and read the results in the flickering of the hard drive light.

    When they can manage the same trick in a noisy office environment with dozens of keyboards and monitors in use, then I'll worry.

    • Re: (Score:3, Interesting)

      by Sockatume (732728)
      On that subject, I recall that certain brands of modem lit the activity indicator by flashing it on for a zero and off for a one. The LED was quick enough to allow an attacker to read off all the data from across the room.
      • by argent (18001) <peter@slashdot.2 ... m ['nga' in gap]> on Monday October 20, 2008 @10:35AM (#25440635) Homepage Journal

        Most modems back in the '80s just ran either RD, TD, or (RD|TD) through the LED. It was cheap and easy and gave you a good activity signal. Nobody cared about people sniffing the data through the LED, and really hardly anyone is ever going to be in a situation where they're even potentially exposed. And for virtually all the rest, this is hardly the low hanging fruit... if you can get close enough to read the LED, you're close enough to see what the target is doing any number of easier ways.

    • Re: (Score:3, Funny)

      by mikael (484)

      Or you could always get a second keyboard and a monkey. Combined together, they should generate enough random data to disguise what you are typing.

  • Now all you have to do is talk your target into removing all possible sources of interfering EM from their computer (like the power supply, the screen, etc.) and to pause between each character that they type.
  • laptops only? (Score:3, Insightful)

    by ikirudennis (1138621) * on Monday October 20, 2008 @09:55AM (#25440155) Homepage
    These videos indicate that the powersupply interferes with the signal, so they only test on laptops running on battery. Does this mean that it doesn't work on desktop computers?
    • by rishistar (662278)

      It may be the process of the battery being charged while its plugged in that inteferes with signals - it certainly can affect recording audio via a mic input in a laptop.

    • Re:laptops only? (Score:5, Informative)

      by tsvk (624784) on Monday October 20, 2008 @10:08AM (#25440307)

      I understood that the disconnecting of the charger was because of that the "victim" laptop computer and the "attacker" desktop computer were connected to the same electrical mains network of the building.

      By disconnecting the laptop charger it was proven that the keyboard signal was truly intercepted from over-the-air electromagnetic radiation, as the laptop was "independent" and not connected to anything. There was not any chance that the signal could have leaked or transmitted any other way.

    • Re: (Score:3, Informative)

      by mollymoo (202721)

      These videos indicate that the powersupply interferes with the signal, so they only test on laptops running on battery. Does this mean that it doesn't work on desktop computers?

      I think they only removed the power supply and monitor because sniffing monitor and power supply emissions are known attacks. They wanted to demonstrate that it really was the keyboard they were sniffing. I guess we'll have to wait for the paper to see how well it works when the other emissions you get from a complete system are pr

      • by anagama (611277)
        Well, in that case it would have been nice if they ran the attack with a complete running setup and tried to type at least 30 wpm. After watching the videos, I had the impression that the impression that the decoding software and/or hardware was simply not sensitive enough to capture real data -- this doesn't rule out future refinement, but it makes the current demo less impressive.
  • Couldn't this easily be mitigated with an encrypted keyboard link?
    • by Aphoxema (1088507) *

      Or just have a monkey type stuff out on another keyboard all the time.

      TsaqggaRahdfjhadfY Tafhnae4na76O aRangsdEa4636AanyhryD T4gmbjjhnozbsHyaengjasdojgboI4asbjgsx5yS YsdgbajrnlynrOrayeryreU Byaery5hbeautrAuntrauahShaheTahkapdfhAgaeiyp45RfwdgDS

      • Re: (Score:2, Funny)

        by fprintf (82740)

        Holy smokes. Either a coincidence or you have been snooping my network, but that is exactly the beginning of my AES key...

  • I like this method:

    Setup a microphone (directional is preferred) and direct it at the keyboard you would like to monitor. Record the sound of the person typing their password a few times. Then send them an email and a response request. Record that sound and use it to determine the sound of each key. Because of wear, finger position, and angle of attack, each keypress sounds a little different than the rest.

    Now, thanks to the email responses, you have a sample of what the keys should sound like.

    Of course

    • by moranar (632206)

      That assumes no typos and no editing.

      • That assumes no typos and no editing.

        Because of the silent backspace key?

        • by moranar (632206)

          No, because you don't know which of them is backspace if you have to compare what's written to what's recorded. Or maybe I'm getting it wrong.

          • No, because you don't know which of them is backspace if you have to compare what's written to what's recorded. Or maybe I'm getting it wrong.

            It makes it a bit tougher, but it's a basic substitution cypher. Assuming you can match up any correctly-typed portion of the text with sounds, finding the parts that don't match up will allow you to determine which is the backspace. Just think about how unique the spacebar sound is. If you can even match up the number of non-spacebar keypresses with the spacebar keypresses, you've just about solved it right there and the rest is a trivial exercise.

            Of course, it's much tougher if someone is constantly us

        • by Neoprofin (871029)
          You might be able to figure out the backspace but good luck if your target is a little scatter brained and likes to hop around sometimes. You may be able to pick up a mouse click too but you'd have no idea from sound alone where characters had just been removed or added.
    • by Yvan256 (722131)

      Or you could, you know, just ask the guy his password.

      What, no good?

  • Instead of trying to put 72 hot keys, along with a volume knob, EQ, and 17 LEDs emitting a dizzying array of light colors, how about just a keyboard?

    Without all the extra crap, there just may be a chance to reduce the overall voltage required to drive a keyboard, and therefore reduce the eminations. Could go hand in hand with all this talk of going "Green" with PCs.

    Of course, that will never happen, because we're far too fascinated with keyboard bling. After all, feature-creep isn't a problem, it's a lif

    • Re: (Score:3, Interesting)

      On the other hand, all the extra blinkenlights would create more interference, reducing the effectiveness of this attack.

    • by Yvan256 (722131)

      Check out the Apple Aluminium keyboard. It only has a led for Caps Lock and the multimedia keys are the same as the function keys. I don't know if it helps but the whole top is aluminium, which could shield a bit of EMI.

  • Nothing new (Score:5, Interesting)

    by thered2001 (1257950) on Monday October 20, 2008 @10:04AM (#25440259) Journal
    I saw this demonstrated about 10 years ago while working for a military contractor during a demonstration to increase awareness of security risks. They were able to capture video and keyboard data through a wall adjacent to the PC being monitored. (I can't elaborate on who 'they' were...but I'm sure astute readers can guess correctly.)
  • This certainly doesn't surprise me, I've only taken apart one keyboard in my life that appeared to be properly shielded, something I wish was more popular. I actually managed to break a PS/2 port once through a static discharge that left my finger black, and this was back when USB keyboards were a really new thing.

    Same with mice and a million USB peripherals, plastic isn't nearly enough, everything should have a proper faraday shield, yet even the most expensive stuff doesn't.

  • Speed (Score:2, Interesting)

    by asCii88 (1017788)
    Has anybody noticed that he types really slow? I believe it might not work correctly if many keys are pressed in a short period of time.
  • by sirwired (27582) on Monday October 20, 2008 @10:15AM (#25440395)

    As everyone should know, the IBM Model M is the One True Keyboard. Surely all of the steel plating inside that thing must be good for something! If all else fails, the relentless clicking while they listen to your bugged cube or house should drive them completely insane.

    Even if it doesn't prevent snooping, you could still use the thing as a self-defense weapon when Mysterious Men From the Shadows come to capture you.

    SirWired

  • by Manip (656104) on Monday October 20, 2008 @10:22AM (#25440483)

    MI5 have had this for years. I mean at the range talked about in the article they can also get a good picture quality from your monitor too. This problem has been known about since the 1980s and is the reason why the security services use magnetic shielding either in an entire building or just in private rooms (such as those that exist in every British Embassy internationally).

    EM leaks have no real solution at this stage except to shield like crazy. There is potential for some kind of white noise generator but different pieces of electronics would require one tuned to them and the levels required would make a blanket device expensive, or overly large.

    I wouldn't worry about people listening in to your keyclicks at home just yet. Perhaps if you work a big corp and there is money on the line. Corporate espionage is big business arguably even bigger than legitimate government work.

    • Re: (Score:3, Interesting)

      by Yvanhoe (564877)
      CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it
      • Re: (Score:3, Informative)

        by Anonymous Coward

        CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it

        http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf

  • Shenanigans? (Score:5, Interesting)

    by tdc_vga (787793) on Monday October 20, 2008 @10:30AM (#25440579)
    If you watch the video he sets the keyboard.eavesdropper into a listening/polling state waiting for keypress information. From there it's filtered and decoded --fine. Now the part that seemed odd to me is it exits as soon as it finds the 'e' in 'trust no one', why?

    If the eavesdropper is in a polling state it should continue looking for more keypresses, unless something there are some smoke and mirrors going on. Also, if you listen there's no termination sent --no keypresses heard on camera.
  • This thing has an aluminium top (but a plastic back), would it be safer than a 100% plastic casing keyboard?

    How about those new unibody MacBooks and MacBook Pros?

    No, I didn't RTFA.

  • Does it work.. (Score:2, Interesting)

    by inotocracy (762166)
    ..when you operate the computer like a normal person? You know, powered on machine, typing at a normal rate..
  • Would it help if the keyboard was lined with oh I don't know...tinfoil perhaps? Or use a plastic with soft iron embedded into it? I mean I am just spit balling here, but this shouldn't be that hard to reduce emissions on.

  • Until they come up with a way to compromise butterflies, the only thing they will pick up from from my keyboard is: C-x M-c M-butterfly [xkcd.com]
  • I bet it's the long cable that acts as an antenna? Though that doesn't explain how Laptop models are affected.

    Any how...may be we could apply HDCP-like end-to-end encryption protocol down to the keyboard, or even to each physical key...Microsoft did an ASIC for the blue-ray mouse, could they make one for each keys too? I am thinking if The FBI might want to order thousands of them...

  • by sunderland56 (621843) on Monday October 20, 2008 @12:31PM (#25442399)
    Isn't it odd how the program knows ahead of time how many keys you are going to type, and conveniently exits after decoding exactly that many?

    Sure - it *could* have an exit condition where it quits if it hasn't seen a keystroke in n seconds. But, on the second video, it doesn't time out while the camera goes to the other room - but it does time out while the camera comes back. And besides - who would create their program that way? Just have it decode anything received in an infinite loop - far easier to use.

Some people carve careers, others chisel them.

Working...