Compromising Wired Keyboards

Flavien writes "A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of the 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."

Time for a Faraday cage?

[apathy maybe]

To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

Looks like a room or building size Faraday Cage [wikipedia.org] (a foil hat the size of your house!) might be the only defence...

Especially considering that you can also detect what is shown on monitors (again, by detecting the electromagnetic radiation), and so on screen "keyboards" operated with a mouse become not so useful.

It's not clear from the article whether they have have the keyboard before hand to be able to record which key-press outputs what radiation, or if they can use this (and by that I mean one of the four) technique on any old keyboard, including ones they haven't seen before.

Anyway, this shouldn't be too surprising to anyone, electronics emit electromagnetic radiation, which can be captured.

Re:TEMPEST

[__aajxax2722]

I agree. I don't see the big "News Flash" on this. This was well known back in the mid 80's when I fixed computers for the military. They had to be Tempest certified before and after the fixes. It was common knowledge that EMF emissions would be able to be picked up and recorded some distance away from the host computer.

Nothing new

[thered2001]

I saw this demonstrated about 10 years ago while working for a military contractor during a demonstration to increase awareness of security risks. They were able to capture video and keyboard data through a wall adjacent to the PC being monitored. (I can't elaborate on who 'they' were...but I'm sure astute readers can guess correctly.)

Speed

[asCii88]

Has anybody noticed that he types really slow? I believe it might not work correctly if many keys are pressed in a short period of time.

Re:Features win over Security (again).

[Constantine XVI]

On the other hand, all the extra blinkenlights would create more interference, reducing the effectiveness of this attack.

Re:TEMPEST

[FiveDozenWhales]

Perhaps something like The Optimus Tactus [artlebedev.com] would be ideal?

MI5 & Intelligence Agencies

[Manip]

MI5 have had this for years. I mean at the range talked about in the article they can also get a good picture quality from your monitor too. This problem has been known about since the 1980s and is the reason why the security services use magnetic shielding either in an entire building or just in private rooms (such as those that exist in every British Embassy internationally).

EM leaks have no real solution at this stage except to shield like crazy. There is potential for some kind of white noise generator but different pieces of electronics would require one tuned to them and the levels required would make a blanket device expensive, or overly large.

I wouldn't worry about people listening in to your keyclicks at home just yet. Perhaps if you work a big corp and there is money on the line. Corporate espionage is big business arguably even bigger than legitimate government work.

Re:Cryptonomicomics

[Sockatume]

On that subject, I recall that certain brands of modem lit the activity indicator by flashing it on for a zero and off for a one. The LED was quick enough to allow an attacker to read off all the data from across the room.

Shenanigans?

[tdc_vga]

If you watch the video he sets the keyboard.eavesdropper into a listening/polling state waiting for keypress information. From there it's filtered and decoded --fine. Now the part that seemed odd to me is it exits as soon as it finds the 'e' in 'trust no one', why?

If the eavesdropper is in a polling state it should continue looking for more keypresses, unless something there are some smoke and mirrors going on. Also, if you listen there's no termination sent --no keypresses heard on camera.

Does it work..

[inotocracy]

..when you operate the computer like a normal person? You know, powered on machine, typing at a normal rate..

Re:Up to 20 meters?

[fprintf]

Think of this as a proof of concept, with additional range yet to come. To you it might not be a big deal, but to others (e.g. the tinfoil hat crowd) it is likely a very small distance in time between the current 20 meter range and a 100 yards or more. And yet to others still, it is of concern now, for example apartment blocks, condos or dormitories where you may be less than 20 meters away from several other residents.

Re:MI5 & Intelligence Agencies

[Yvanhoe]

CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it

Re:Time for a Faraday cage?

[d3ac0n]

Looks like a room or building size Faraday Cage (a foil hat the size of your house!) might be the only defence...

This is actually easier to do than you might imagine. My old house was essentially a Faraday Cage. You could NOT get a wireless signal more then 1 foot outside it. Why? Aluminum Siding. Add in aluminum powder tinted windows (triple layer UV and thermal glass) and the only leakage was straight up through the roof.

So you could get an OK cell-phone signal on the second floor (2 bars), but almost nothing on the first floor. Walk out the front door, 4 bars. Same with WiFi. Full strength "g" signal anywhere inside, walk outside and the connection drops.

My current home has asbestos siding (bleah!) that does nothing to attenuate the Wifi signal, so I actually had to encrypt my wireless for the first time ever when I moved. I can pick up my wireless signal about 2 doors away now, and it's the same wireless device I used in my old house, located in a roughly similar spot (close to the center of the house, in the basement, on a shelf near the basement rafters)

If I could I'd re-side in Aluminum again, but the costs to re-side an asbestos tile sided house are astronomical, and many places simply won't do it.

Regardless, if you really want to attenuate any wireless signals going into or out of your home, slap on some aluminum siding. You'll kill those pesky wireless signals, AND make your house look really nice at the same time.

Re:TEMPEST

[anagama]

How about using Xmodmap -- I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen (which could be a problem I suppose), then you poke out your password, and then revert to the usual layout.

Re:TEMPEST

[lbgator]

...I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen...

INGdirect [ingdirect.com] does this with their log in. Users have a numeric password, they can enter it by:
-using the mouse to click the number pad displayed on the screen, or
-typing the letters that are randomly assigned to the numbers on the screen