We always knew those electromagnetic emanations would amount to no good, and now here they go ruining any shred of privacy we once thought to possess. Some folks from the Security and Cryptography Lab at Switzerland's EPFL have managed to eavesdrop on the electromagnetic radiation shot off by shoddy wired keyboards with every keystroke. They've found four different ways to listen in, including one previously-published general vulnerability, on eleven keyboard models ranging from 2001 to 2008, with PS/2, USB and laptop keyboards all falling to at least one of the four attacks. The attack works through walls, as far as 65 feet away, and analyzes a wide swath of electromagnetic spectrum to get its results. With wireless keyboards
already feeling the sting of hackers, it's probably fair to say that no one is safe, and that cave bunkers far, far away from civilization are pretty much our only hope now. Videos of the attacks are after the break.
[Thanks, Dave]
posted Oct 20th 2008 1:14PM
And the Cryptonomicon references are...GO!
"All your keyboards are belong to us!"
I came here for the Van Eck Phreaking / Randy Waterhouse / Golgotha references... I am glad to, once again, see Engadgeteers rise the the challenge.
/nods approvingly.
Time to wrap my keyboard in a faraday cage..
And your complete workstation...
Or apparently just plug your laptop into its DC power supply, or use a CRT monitor, or the PSU in a desktop, or generate some EM noise on the same band as the keyboard.
Note how they were very careful to isolate the keyboard from any potential source which would contaminate the signal. Therein lies how to secure the system; obscure it in noise and suddenly the keyboard presses are indistinguishable from noise.
Don't keyboards generate electromagnetic fields at a different frequency than CRTs, etc?
time to start carrying around a faraday cage and a very long wifi antenna.
Problem solved, covert all of your keyboard connections to fiber optic.
Spooky, but i feel like if they started adding encryption to the keyboard before it even transmitted the keypresses over the wire, it would eliminate this kind of attack.
-Taylor
More likely, something like a "secure" keyboard will be marketed to governments and companies trying to protect trade and national security secrets, probably at an exorbitant price per unit, compared to what your average Instructables reader/contributor could come up with stuff from the spare parts bin.
And part if not all of me thinks that this is the whole point of a lot of this type of "security" research. "Find an ultraobscure vulnerability, not for research, but to market a product."
There's a lot of value in security research, but it always seems so...dirty on both sides of the equation in the final analysis.
$$$$
encryption can be cracked... but how about transmitting data by cheap audio fiber optic wire
If I were to protect myself...
1. Plug in laptop to power supply and place near keyboard.
2. Put AC adaptor for modem near keyboard.
3. Put printer AC adaptor near keyboard.
4. Put AC-powered alarm clock near keyboard.
5. Put Playstation 2 adaptor near keyboard.
6. Put AC-powered piece of crap LCD TV near keyboard. (My LCD TV creates a helluva lot of noise).
7. All devices make many of a interference.
8. Interference preventing recognizing signalling from keyboard.
9. Profit?
These are the things I have in handy in my room so I use them.
New security requirements:
1) Type faster than 1 keystroke per second, or 2) Use a monitor to see what you are typing, or 3) Use a computer like you normally use a computer (Connected to power, with a monitor, with nearby speakers|telephone|cell phone|mouse)
As xocoatl mentioned, the best way would be to make fiber optic keyboards, which will probably happen with USB 3 as I have heard it will have fiber optics in it.
seems cool, but limited. they took every precaution to make sure there was no signal bleed from other sources, so what is the chance that anyone types on a keyboard with power but no power, audio, or video cables near it?
I was thinking the same thing. Wouldn't this pick up other sources as well? Even if it doesn't, what about in an office setting or coffee shop where there are multiple keyboards typing at once, it would just get a jumbled mess of letters and numbers, right?
Or in an office that has 400 different keyboards all typing different things at the same time
and a a rate of one keystroke per second..?
This doesn't mean that picking up on your typing is not possible with a monitor or PSU plugged in. This is merely an experiment. Refinement of the signals would more than be possible to do i'm sure.
I gathered that they removed all that equipment so that there was no way they could cheat this proof-of-concept video. For example, they unplugged it from the PC so that they couldn't have it secretly running and transmitting all the keystrokes wirelessly.
Hmm... a phased array of antennae would help distinguish signals from several sources. Seems speed the slow speed of the 'capturing' could be due to the large amount of data that needs to be ADC'ed and saved before being processed, and the processing itself. I'm sure that, with sufficient funds, typing from multiple sources at 'normal' typing speed should be quite achievable.
Seems easy to thwart this .. simply apply an RF choke on your wired kb. As simple as passing the cable through a small coil.
i doubt it. even laptop keyboards were vulnerable, and they don't have a cord at all.
-Taylor
Oh my god, the one keyboard they displayed, the black curved one, is the one I have. (I think o.O)
Never mind, I went back and watched and paused it super fast so it was like frame by frame. Also, it looks like they tested those flat Apple keyboards. Its at 2:47 and has a white USB cord.
I think all almost all wired consumer keyboards are vulnerable.
That's why I type on a wireless keyboard! No one can eavesdrop on logitech RF technology!! (Just kidding.)
lol!
Now, not even our tin foil hats can protect us!!!
But, I agree with Matt as well. This was done in a controlled environment. With cell phones giving us cancer, wifi signals coming a dime a dozen around us, GSM phones making our old monitors twitch, and add your own...i'm sure the results would be a LOT less than perfect in the real world.
errrr...I hope they'd be..hahahaha
@ josh
we where thinking the same thing at the same time. guess i need to refresh my screen before posting replies
Um... well so far this isn't scaring me, I never type that slow (and I don't know anyone that does), I have a LCD monitor, and I have a tower with a power supply. So I'm pretty darn safe. And it looks to my like anyone who types with there screen up on there laptop, or with it plugged in, is safe too.
Scary!!! Lucky my keyboard want on there.
This has been done before...Look up TEMPEST on Wikipedia. http://en.wikipedia.org/wiki/TEMPEST
There is even a standard to test to for protection against this sort of attack.
I was just about to post about tempest to. Saw this article (on Cnet or Slashdot) as well this morning. How soon people forget about old exploits.
Move along people, there's no news here, just a rehash of 30 year old security vulernabilities.
Good thing it can't detect typing on my iPhone!
/i keed, i keed!
too bad even you can't detect typing on your iphone
I wouldn't be surprised if the government would stand up and acquire (READ: copy) this kind of technology, and given their resources, manage to shrink all that paraphernalia into a simple laptop (or close to it, at least) and a small antenna. However, the software able to decode the keystrokes at a fast pace whilst filtering all the noise sources is miles away.
No wonder Switzerland wisely stays out of wars. This technology has been around since the 1960's. Tim above is correct. TEMPEST is real and it has been part of electronics certifications for some government projects for decades.
You guys can joke, and on most levels this isn't an issue. But for some uses this is a serious security concern that shouldn't be taken lightly - encrypted passwords mean nothing if you can read raw key data by just sitting outside a bank (government agency) in your car (van).
Would have been more impressive if they would have kept the others items plugged in to simulate a normal environment. Typing at a normal speed instead of extra-slow as well.
I saw my first "temptested PC" (a Mac actually) in 1991 in the Pentagon. You cannot believe the amount of shielding inside that machine. The mouse cord alone was 3/8" diameter metal cabling. I was asked to put in memory by a client who knew that I liked to tinker and who authorized me to break the seals. I opened it up and was dumbfounded. It was completely unrecognizable inside. Additionally, this machine was only used in a shielded SCIF. You could go that route, but there are so many other ways for your info to be leeched...and there is no way that I am about to say how. ;-)
Saying that you don't say something is almost as good as saying it... Except that people who say that they don't say something, usually don't have anything to say anyway.
This is why I only type with the faucet on full in the background.
I was waiting to watch them type Seatec Astronomy ;)
First off, they turned off and removed the equipment to prove they weren't getting the signals from other sources which is already old work that's been proven. There are a few methods to get info through either the display signal noise or power supply noise, and in fact laser printers are almost dead easy to do with the huge amount of noise they put out while printing.
Second, almost any electric device can be listened to and decoded into useful info. With the original research done years ago it was tested against monitors, keyboard, printers, mice, and whole computers.
Third, it seemed awfully convenient that program ran just long enough to print out exactly what they typed. I am not saying they can't do it (this is also already old hat), but it seems strange the way the system ran.
These are very interesting exploits. I wonder though, as many others have stated, what the feasibility of these attacks would be in a normal environment that is not set up to avoid experimentation errors (i.e. the real world lol). Keyboards are clearly located in areas with lots of other electronics around and turned on, and people today type much faster than the depicted situations. Wouldn't that have a major effect on acquiring the signals in order? Just a thought..
I would think that multiple devices being used at the same time would be the biggest problem. The signals would mingle and the data would be corrupted.
I think PS/2 would be more of a problem given that it's specifications give more leeway in how data is transmitted, the frequency range is something like 10kHz to 16.7kHz, imagine having 100 keyboards all blasting out signals that are essentially sweeping across that range, hell, even 2 would be a mess.
USB is more strict on a per device basis, but it is more prevalent in todays world, and I could see people having multiple devices at their desk alone, all blasting out signals that would "co-mingle".
pft... the miraculous device they use on prison break to get the cylla cards' data is way cooler :P
yeah.. that's what i was thinking !! haha
Hey maybe they can have a new USB gadget... one that spews out similar (but random) electromagnetic waves as that of the keyboard, in order to cause interference (it would have to cater to different keyboards though, I think).
What a Joke. lets use a notebook, but close the lid so the display is not on. Lets remove the External LCD to remove the radiated EMI. Great!!! Now that we can't see what we are doing we should be very productive. Next lets get rid of out power supply so we can only run on batteries and do work (that we can't see) for 2 hours. Oh yes, I forgot...since we closed the laptop, we need to plug in an external keyboard so we can do our typing without seeing what are doing. OK great...One more thing. We must remember to type at a maximum speed of 1 character per second. Any faster and the RF on the keyboard wires will not be able to be decoded. Or have a three year old hit the keys for you.
The rest of you...it's time to put on your tinfoil hats!
It's a good thing I already cover all my computer equipment with aluminum foil.
People, please understand. This is a controlled experiment. Of course, conditions are favorable for a positive outcome. The point is that the technology exists and works. With time it will be refined further for better filtering and faster processing.
If you have ever built an application or manufactured an item you will know that you start with small scale testing to prove out the concept or design. Then you backfill to accommodate for less than optimal situations. The finished product never looks like the original prototype.
so no one is concerned that this could all be a hoax and the app is just a little program that goes through the motions and pretends to decode what the person types?
If it were a hoax they wouldn't have had to unplug the keyboard and plug it into an unplugged laptop to make it work. If they were faking it, they would have made it work quicker and easier.
Finally those hairdryers will find some good use! Plug one in, along with an electric beard shaver and turn them on... they will create so much noise that not only it will be impossible to hack you, but your computer will have trouble understanding what you are typing... lol!
If anyone has ever been to Virginia, they may have noticed that the NSA building among others, are GREEN! This was the TEMPEST program instituted years ago to stop the gathering of signals VIA EMW's from CRT's which could be picked up several hundred feet away from the target and displayed on the LP's monitor as if they were typing the words themselves!
Soon they will come up with a way to pick up your brain waves and print out what your thinking!
I'm sure they already know what I'm thinking!
Go Ron Paul!!
IFIXPCS
This would be too much of a pain in the ass, considering that PS/2 keyboards can range in frequency from 10kHz to 16.7kHz, and USB can range between 1.5MHz to 450MHz +/- up to 15kHz based on low/full/high speed.
Thats not to mention how many other PS/2 and USB devices in the vicinity you would also pick up that would most likely corrupt the data as you could be picking up multiple devices simultaneously.
How bored were these people?
How did they figure out this shit. I mean, how could something put some random electronics together and pick up keyboard strokes. This is crazy. Its only a matter of time before this gets crazier and can record keystrokes faster and find out which keyboard is typing. This hacker vs Keyboards with Social Security Numbers? Come on. How did they find out there stuff would pick up a signal like that. This is crazy
This is totally flawed. In a real environment there are many EM signals being produced that would have to be filtered before any meaningful signal could be interpreted.
Simply put in a real environment this kind of eavesdropping would be like looking for a red object while wearing red tinted glasses.
This video is a joke. Keyboards do not carry much current, more on the scale of 10mA. Not nearly enough power to transmit a signal one meter at 5 V!.
And even if you could pick up the small magnetic field change, it would be overpowered by external noise sources, such as Flourescent lights, other monitors etc...
I call BS on this video. The reason the laptop is closed is because ?
What about other languages? Chinese would be hard to decode. Seems like the vulnerability exists with english only. lol.
Some of the comments I'm reading here are amusing. This is nothing new. I did RFI/EMI/EMP shielding all through the '80's and up until Clinton, who killed off what remained of Reagan's increased defense spending. TEMPEST concerns have been around since the '70's and the government paid my father's company and others big bucks back then to protect their information from electronic eavesdroppers. I won't say more about it, as I'm still bound to a certain extent by secrecy laws, but the idea that this is some new and surprising development is laughable. The only thing that could possibly be new about it is that some civilian scientists free of governmental NDA's have done it successfully where before they never had.
However, in saying that, I'm not implying that government agents have successfully intercepted and decoded keyboard signals before. I have no positive knowledge whether they have or haven't; that's classified information. Nevertheless, the fact that both the CIA and the KGB have had programs of the TEMPEST sort, each with an offensive as well as defensive component, should at least suggest to you that the potential for compromise by way of keyboard emanations has been known, worried about, and pursued--to the tune of many millions of dollars--for several decades now.
Does anyone remember this: http://query.nytimes.com/gst/fullpage.html?res=950DE5D81F30F935A25754C0A96F948260&fta=y
Our embassy in Moscow became compromised due to the incomprehensible politics of Washington liberals, who contrived to have Soviet construction workers working on the construction of it. So what happened? The KGB moles not only bugged the shit out of the building, but they drilled and poked holes through the building's RF shield, thereby rendering it vulnerable to the leakage of emanations. I was elsewhere at the time and didn't work on that project, so I don't know how big a deal it ever became back home here, but in security circles it was an infamous episode directly related to TEMPEST concerns. So, to repeat: nothing new here, as far as I can see. Nothing new at all.
eyeroll,
what would be a good shielding meaurement to adhere to make evesdropping on a keyboard more difficult or virtually non existanct from 1o ft away?
Wow. I look forward to reading the research paper once it gets released.
use touch screen computers only ;)
Simply use your mouse and copy paste all characters you type for your password when logging in, and you're pretty safe.
I use a system much like that for my own webmail system: http://www.squirrelmail.org/plugin_view.php?id=159
Ok, now wait a minute - a keyboard alone connected a power source emits a frequency that can be picked up through RF waves from a transceiver? I wonder what the other two experiments are - probably good idea they don't show too much of the technology off.
1) Frequencies travel at different wave lengths and can be filtered to pick up certain wave lengths.(correct?) Depends on how their program/hardware works, it seems that they removed the power supply so they don't have to mess with the filtering - easier and quicker transmission to show it works.
2) However, is it really as slow as 1 keystroke per second? If so, then no worries. But somehow I don't think that's the case. A post was written that faster technologies could be built to decode the frequencies quicker - hence perhaps eventually keystrokes as fast as a typist could be picked up by an antenna that doesn't look like over-sized cake-mixer whisks may be used...maybe the size of an oven thermometer instead?
3) Towers included? perhaps if #1 & #2 were true, then reading kb strokes that is connected to a tower/desktop style is possible?
These are just questions of possibilities and theories. Man, the potential security breeches that could be made...the possibilities...the power....in the wrong hands. ugh.