Compromising Wired Keyboards 277
Flavien writes "A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of the 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."
No comment.. (Score:5, Funny)
I won't type what I think about that...
Re: (Score:3, Funny)
Great - now I have to tinfoil my house as well as my head!
TEMPEST (Score:5, Informative)
This appears to be related to why TEMPEST [wikipedia.org] attacks work on monitors.
Comment removed (Score:5, Insightful)
Re: (Score:3, Interesting)
Re:TEMPEST (Score:5, Funny)
Oh great, now you've given them the idea.
One goatse was bad enough :(
Re:TEMPEST (Score:4, Funny)
On second thought...I need to go wash my mind out with bleach now.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re:TEMPEST (Score:4, Interesting)
...I could see a script that generates a random keyboard layout, a key-to-character chart would have to printed on the screen...
INGdirect [ingdirect.com] does this with their log in. Users have a numeric password, they can enter it by:
-using the mouse to click the number pad displayed on the screen, or
-typing the letters that are randomly assigned to the numbers on the screen
Re: (Score:2)
Kind of in the range of Duh isn't this. Tempest goes back into the 80s and maybe even past that.
Seems very odd to me that this is news. I remember seeing an article on slashdot about reading modem leds, and all sorts of other methods.
I guess you could wrap your keyboard cable and monitor cable in a conductor and ground it to help cut the effective range down. Or just not worry about it.
Re:TEMPEST (Score:5, Interesting)
Re:TEMPEST (Score:5, Insightful)
I don't see the big "News Flash" on this.
I think the big news flash on this is that they actually performed four different, real attacks on real, physical keyboards. Theory is one thing, someone actually saying "hey, we can really do this on the cheap now to 11 different keyboards sold at your local Best Buy; here's how..." is another. I don't think it's unreasonable to consider that "news for nerds."
Re:TEMPEST (Score:5, Funny)
When the first mass-transit-quality teleporter is installed in a major city, there will be a commenter on Slashdot, sneering at it: "This isn't news. They've been doing that at the quantum level for years."
Re:TEMPEST (Score:4, Funny)
The TEMPEST attack is nothing compared to the TEMPEST 2000 attack. Pew pew pew!
Dubious claim (Score:5, Funny)
Easier way to open the car... (Score:5, Funny)
Its much easier with a cricket ball. Just use it to break the window.
Re:Easier way to open the car... (Score:5, Funny)
Its much easier with a cricket ball. Just use it to break the window.
That may be how the Brits do it, but using a bowling ball generally meets with smashing success.
Re:Easier way to open the car... (Score:5, Funny)
Obviously, you'll have to turn the car upside-down if you're going to use a bowling ball. Some people would find that inconvenient.
Canadians seem to find it easy enough: they use curling stones. Maybe it's easier to flip a car on ice?
Re:Easier way to open the car... (Score:4, Funny)
Re: (Score:2)
Probably...something while technically possible, is not very feasible for practical use.
I really just posted to comment on your sig. I think there is a worse oxymoron: Military Intelligence
Re: (Score:2)
Yes, yes it is.
But it may work if you've got a giant antenna pointed at the keyboard, a known keyboard, a user who types 1 character per second, and there are no other sources of EMF around, like, I don't know, a monitor or another person at another computer.
Hmm... (Score:4, Funny)
I might have to extend my tinfoil hat to some kind of head-mounted lead telephone box.
Re:Hmm... (Score:4, Funny)
Chief, don't you think we should use the Cone of Silence?
If it only works on Wired keyboards... (Score:5, Funny)
...why should I worry? I work for BoingBoing.
Time for a Faraday cage? (Score:5, Interesting)
Looks like a room or building size Faraday Cage [wikipedia.org] (a foil hat the size of your house!) might be the only defence...
Especially considering that you can also detect what is shown on monitors (again, by detecting the electromagnetic radiation), and so on screen "keyboards" operated with a mouse become not so useful.
It's not clear from the article whether they have have the keyboard before hand to be able to record which key-press outputs what radiation, or if they can use this (and by that I mean one of the four) technique on any old keyboard, including ones they haven't seen before.
Anyway, this shouldn't be too surprising to anyone, electronics emit electromagnetic radiation, which can be captured.
Re:Time for a Faraday cage? (Score:5, Insightful)
Being the only house on your block not radiating all sorts of data sounds like an excellent reason for the DHS to perform a no-knock raid with a legions of SWAT teams and an armored troop carrier or two.
Re:Time for a Faraday cage? (Score:5, Funny)
Which is why you move to Pennsylvania and live among the Amish. Also, your crazy hacker beard will look a little less crazy.
Re: (Score:2)
I know you're not serious, or I hope you aren't, but how would they know the difference between you intentionally blocking transmissions and just not having stuff turned on?
Re: (Score:2)
I know you're not serious, or I hope you aren't, but how would they know the difference between you intentionally blocking transmissions and just not having stuff turned on?
Probably because it's not just computers that emit electromagnetic radiation. Even the mains wiring will emit a certain amount.
Re: (Score:2)
Oh, yeah... I'll just need a monkey playing solitaire on a computer that isn't shielded all the time.
Privacy is so damned expensive...
Re: (Score:3, Funny)
Oh, wow, I don't know how it happened but you're both right, and I'm not even in a cube!
Re: (Score:2)
Re: (Score:2)
I'd say the existence of encryption is ample evidence to convince a judge to compel you to reveal your key.
I'd also say that most enforcement agencies, which are going to participating in such a no-knock raid on a domestic terrorist, have some pretty damn interesting forensic tools designed to circumvent encryption (Preventing the computer from ever going to sleep is one common tactic employed).
So if you are going to bother encrypting you had better brush up on forensics tools and prepared to go jail for no
Re: (Score:2)
What about installing a microcontroller in the PSU that checks the AC line frequency, and if it's not within the range of what you get at your house (there's slight variances everywhere, after all,) send +120VAC straight into every DC line?
Re: (Score:3, Informative)
The + on the 120VAC is extraneous.
Re: (Score:2)
Re: (Score:2)
What do you mean by "not serious"? Do you mean have I removed the Faraday cage that used to surround the inside of my home in fear that the Department of Homeland Security would send in great numbers of heavily armed men into my home? Or do you mean "not serious" in that I would have never put up a Faraday cage in first place? Or "Not Serious" in that I would be surprised if this reported in the news? Or "Not Serious" in that the DHS would not decide a US citizen did not fit a certain profile and then proc
Re:Time for a Faraday cage? (Score:5, Funny)
The solution to this is simple. Have at least one computer outside the cage. If you have a teenage, even better. Cause nothing would drive those eavedroppers crazy than listening in on teenage conversations:
No way!
4sho!
LOLZ
idc. let's go w bff jill
Of course, this might be one of those cases where the solution is worse than the problem.
Re: (Score:2)
The snoops would have to monitor for a significant time before they'd realize the difference.
If they're choosing to monitor your house for hours, they probably have something else on you.
Re: (Score:2)
Good luck to them if they try spying on my typing.
"Backspace (bsp), bsp, hith, bsp, bsp, hi theree, bsp..."
Re: (Score:2)
Yeah, because SWAT is totally raiding all those people without TV's and computers . . .
Re: (Score:2)
They need a reason to do that?
Re: (Score:2)
or directly use napalm instead
Re: (Score:2)
I say we nuke them from orbit. It's the only way to be sure.
Re: (Score:3, Insightful)
Re: (Score:2)
damn... and i was hoping for security on my desk AND a working cell phone in my pocket. =P
Worlds slowest typist (Score:2)
Seriously can the guy type faster than 3 words a minute? Can his decoding software only work up to a certain speed? I am betting most people enter there passwords in less than a second, not with second long pauses between each character.
Re:Time for a Faraday cage? (Score:5, Interesting)
This is actually easier to do than you might imagine. My old house was essentially a Faraday Cage. You could NOT get a wireless signal more then 1 foot outside it. Why? Aluminum Siding. Add in aluminum powder tinted windows (triple layer UV and thermal glass) and the only leakage was straight up through the roof.
So you could get an OK cell-phone signal on the second floor (2 bars), but almost nothing on the first floor. Walk out the front door, 4 bars. Same with WiFi. Full strength "g" signal anywhere inside, walk outside and the connection drops.
My current home has asbestos siding (bleah!) that does nothing to attenuate the Wifi signal, so I actually had to encrypt my wireless for the first time ever when I moved. I can pick up my wireless signal about 2 doors away now, and it's the same wireless device I used in my old house, located in a roughly similar spot (close to the center of the house, in the basement, on a shelf near the basement rafters)
If I could I'd re-side in Aluminum again, but the costs to re-side an asbestos tile sided house are astronomical, and many places simply won't do it.
Regardless, if you really want to attenuate any wireless signals going into or out of your home, slap on some aluminum siding. You'll kill those pesky wireless signals, AND make your house look really nice at the same time.
Re: (Score:2)
Interesting.
One thing I've been curious about is how effective just putting the wireless router in the basement would be --- my house is on quite a bit of a slope, but there'd still be ~10--15 feet of earth (and rocks, mostly sandstone, lots and lots of rocks) between the router and anywhere one could get a signal outside.
William
Cryptonomicomics (Score:5, Insightful)
Oh no, we will have to learn to type code by tapping on a single key and read the results in the flickering of the hard drive light.
When they can manage the same trick in a noisy office environment with dozens of keyboards and monitors in use, then I'll worry.
Re: (Score:3, Interesting)
Re:Cryptonomicomics (Score:5, Insightful)
Most modems back in the '80s just ran either RD, TD, or (RD|TD) through the LED. It was cheap and easy and gave you a good activity signal. Nobody cared about people sniffing the data through the LED, and really hardly anyone is ever going to be in a situation where they're even potentially exposed. And for virtually all the rest, this is hardly the low hanging fruit... if you can get close enough to read the LED, you're close enough to see what the target is doing any number of easier ways.
Re: (Score:3, Funny)
Or you could always get a second keyboard and a monkey. Combined together, they should generate enough random data to disguise what you are typing.
Not too bad (Score:2)
laptops only? (Score:3, Insightful)
Re: (Score:2)
It may be the process of the battery being charged while its plugged in that inteferes with signals - it certainly can affect recording audio via a mic input in a laptop.
Re:laptops only? (Score:5, Informative)
I understood that the disconnecting of the charger was because of that the "victim" laptop computer and the "attacker" desktop computer were connected to the same electrical mains network of the building.
By disconnecting the laptop charger it was proven that the keyboard signal was truly intercepted from over-the-air electromagnetic radiation, as the laptop was "independent" and not connected to anything. There was not any chance that the signal could have leaked or transmitted any other way.
Re: (Score:3, Informative)
I think they only removed the power supply and monitor because sniffing monitor and power supply emissions are known attacks. They wanted to demonstrate that it really was the keyboard they were sniffing. I guess we'll have to wait for the paper to see how well it works when the other emissions you get from a complete system are pr
Re: (Score:2)
Encryption (Score:2)
Re: (Score:2)
Or just have a monkey type stuff out on another keyboard all the time.
TsaqggaRahdfjhadfY Tafhnae4na76O aRangsdEa4636AanyhryD T4gmbjjhnozbsHyaengjasdojgboI4asbjgsx5yS YsdgbajrnlynrOrayeryreU Byaery5hbeautrAuntrauahShaheTahkapdfhAgaeiyp45RfwdgDS
Re: (Score:2, Funny)
Holy smokes. Either a coincidence or you have been snooping my network, but that is exactly the beginning of my AES key...
Re: (Score:3, Funny)
I see you shelled out for the decoder monkey.
There is always a method of attack (Score:2)
I like this method:
Setup a microphone (directional is preferred) and direct it at the keyboard you would like to monitor. Record the sound of the person typing their password a few times. Then send them an email and a response request. Record that sound and use it to determine the sound of each key. Because of wear, finger position, and angle of attack, each keypress sounds a little different than the rest.
Now, thanks to the email responses, you have a sample of what the keys should sound like.
Of course
Re: (Score:2)
That assumes no typos and no editing.
Re: (Score:2)
That assumes no typos and no editing.
Because of the silent backspace key?
Re: (Score:2)
No, because you don't know which of them is backspace if you have to compare what's written to what's recorded. Or maybe I'm getting it wrong.
Re: (Score:2)
No, because you don't know which of them is backspace if you have to compare what's written to what's recorded. Or maybe I'm getting it wrong.
It makes it a bit tougher, but it's a basic substitution cypher. Assuming you can match up any correctly-typed portion of the text with sounds, finding the parts that don't match up will allow you to determine which is the backspace. Just think about how unique the spacebar sound is. If you can even match up the number of non-spacebar keypresses with the spacebar keypresses, you've just about solved it right there and the rest is a trivial exercise.
Of course, it's much tougher if someone is constantly us
Re: (Score:2)
Re: (Score:2)
Or you could, you know, just ask the guy his password.
What, no good?
Features win over Security (again). (Score:2, Insightful)
Instead of trying to put 72 hot keys, along with a volume knob, EQ, and 17 LEDs emitting a dizzying array of light colors, how about just a keyboard?
Without all the extra crap, there just may be a chance to reduce the overall voltage required to drive a keyboard, and therefore reduce the eminations. Could go hand in hand with all this talk of going "Green" with PCs.
Of course, that will never happen, because we're far too fascinated with keyboard bling. After all, feature-creep isn't a problem, it's a lif
Re: (Score:3, Interesting)
On the other hand, all the extra blinkenlights would create more interference, reducing the effectiveness of this attack.
Re: (Score:2)
Check out the Apple Aluminium keyboard. It only has a led for Caps Lock and the multimedia keys are the same as the function keys. I don't know if it helps but the whole top is aluminium, which could shield a bit of EMI.
Nothing new (Score:5, Interesting)
Re:Nothing new (Score:5, Informative)
It's called van Eck phreaking, and it's been applied to monitors for a while now, but no-one's really talked about sniffing from the keyboard.
Painfully typical (Score:2)
This certainly doesn't surprise me, I've only taken apart one keyboard in my life that appeared to be properly shielded, something I wish was more popular. I actually managed to break a PS/2 port once through a static discharge that left my finger black, and this was back when USB keyboards were a really new thing.
Same with mice and a million USB peripherals, plastic isn't nearly enough, everything should have a proper faraday shield, yet even the most expensive stuff doesn't.
Re: (Score:2)
Some ancient thing that weighed more than a... uhh... I don't got anything witty. It was heavy. Or something.
Re: (Score:2)
The IBM Model M is ancient and heavy.
Then again, so am I.
Speed (Score:2, Interesting)
But did they test with a Model M? (Score:5, Funny)
As everyone should know, the IBM Model M is the One True Keyboard. Surely all of the steel plating inside that thing must be good for something! If all else fails, the relentless clicking while they listen to your bugged cube or house should drive them completely insane.
Even if it doesn't prevent snooping, you could still use the thing as a self-defense weapon when Mysterious Men From the Shadows come to capture you.
SirWired
Re:But did they test with a Model M? (Score:5, Funny)
MI5 & Intelligence Agencies (Score:3, Interesting)
MI5 have had this for years. I mean at the range talked about in the article they can also get a good picture quality from your monitor too. This problem has been known about since the 1980s and is the reason why the security services use magnetic shielding either in an entire building or just in private rooms (such as those that exist in every British Embassy internationally).
EM leaks have no real solution at this stage except to shield like crazy. There is potential for some kind of white noise generator but different pieces of electronics would require one tuned to them and the levels required would make a blanket device expensive, or overly large.
I wouldn't worry about people listening in to your keyclicks at home just yet. Perhaps if you work a big corp and there is money on the line. Corporate espionage is big business arguably even bigger than legitimate government work.
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
CRT monitors used to leak a lot of EM. Is it still working with LCD screens ? I doubt it
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
Shenanigans? (Score:5, Interesting)
If the eavesdropper is in a polling state it should continue looking for more keypresses, unless something there are some smoke and mirrors going on. Also, if you listen there's no termination sent --no keypresses heard on camera.
Apple Aluminium Keyboard (Score:2)
This thing has an aluminium top (but a plastic back), would it be safer than a 100% plastic casing keyboard?
How about those new unibody MacBooks and MacBook Pros?
No, I didn't RTFA.
Does it work.. (Score:2, Interesting)
Soft Iron in the Keyboard? (Score:2)
Would it help if the keyboard was lined with oh I don't know...tinfoil perhaps? Or use a plastic with soft iron embedded into it? I mean I am just spit balling here, but this shouldn't be that hard to reduce emissions on.
Butterflies (Score:2)
DRM! "HDCP"! (Score:2)
I bet it's the long cable that acts as an antenna? Though that doesn't explain how Laptop models are affected.
Any how...may be we could apply HDCP-like end-to-end encryption protocol down to the keyboard, or even to each physical key...Microsoft did an ASIC for the blue-ray mouse, could they make one for each keys too? I am thinking if The FBI might want to order thousands of them...
Strange program.... (Score:3)
Sure - it *could* have an exit condition where it quits if it hasn't seen a keystroke in n seconds. But, on the second video, it doesn't time out while the camera goes to the other room - but it does time out while the camera comes back. And besides - who would create their program that way? Just have it decode anything received in an infinite loop - far easier to use.
Re: (Score:2, Interesting)
Think of this as a proof of concept, with additional range yet to come. To you it might not be a big deal, but to others (e.g. the tinfoil hat crowd) it is likely a very small distance in time between the current 20 meter range and a 100 yards or more. And yet to others still, it is of concern now, for example apartment blocks, condos or dormitories where you may be less than 20 meters away from several other residents.
Re: (Score:2)
Set up a repeater unit outside of an executive's house, then do trades on the stock market. You could hide all the electronics in a small box, and make it look like a piece of phone or telco equipment. No one would touch it for 20 years.
The harder activity would be to disguise the trades so the SEC doesn't figure it out.
I bet someone has already tried something like this. There are too many security agencies in t
Re: (Score:2)
Re: (Score:2)
Analogy: you can listen to a particular person in a noisy restaurant, and it usually easier if both your ears work well.
If they have to they could use two or more vehicles parked outside. Or just rent a room or two nearby.
There are so many ways of snooping it isn't funny, here are some examples:
** Light
Copying a screen from a CRT by the light it "smears" on a wall - CRT images are generated by
Re: (Score:2)
Re: (Score:2)
I agree. I would say this looks fake or very fishy. First the oscilloscope showing stopped images of some pulses is a typical make believe setup. On the second video, after the camera comes back to the eavesdropping setup, the oscillo did not trigger on any signal and is still stopped. Granted, this doesn't prove any wrong doing.
But the process terminating by itself immediately after decoding the last character is strange. Why would the process stop recording and start processing after the last type
Re: (Score:2)
Actually, pluging in the PSU or an LCD monitor increases the number of ways they could recover what you typed.