Swiss boffins sniff passwords from (wired) keyboards 65 feet away Swiss researchers have demonstrated a variety of ways to eavesdrop on the sensitive messages computer users type by monitoring their wired keyboards. At least 11 models using a wide range of connection types are vulnerable. The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne …
Does no one remember the TEMPEST project- from the 1980's. The idea was that the Commies could read the recipes off your mother's C64 just by reading the RF blasting out of it. So, they essentially wrapped the cables and components in a Faraday cage, used copious amounts of EMI shielding, and managed to increase the cost of a Mac SE/30 to over $15,000.
... is the solution to this problem.
I have ancient IBM kit, built out of 6" thick cast iron and connected by lead-pipes to my PC. In fact, keystrokes from the keyboard are carried by tiny gnomes up the pipes. And they are quantum entangled gnomes at that. Punch cards don't emit RF.
More seriously, I've seen keyboards encased in metal. Ah, you could get a detachable keyboard thing for the BBC Micro that was made of steel. And older keyboards employed metal springs and switches rather than rubber bobble things. Any one remember Tempest? And old keyboards tend to be the best. I do have an ancient IBM which is the bollocks for typing on, although I've become more keyboard agnostic over the years.
Aren't some Apples machined from blocks of aluminium? Paint the backs of the keys with that silver oaded conductive stuff you can buy and you should be laughing. Am I right in thinking that in ye olden days, some plastic cases had metalised coatings on the inside because the electronics emitted horribleness over the em spectrum?
Use a Dvorak, Maltron or a french AZERTY keyboard, that should confuse them.
Mines the one with the the Microwriter in the pocket.
"In both cases, the computer was able to determine the keystrokes typed on keyboards connected to a laptop and power supply and LCD monitors were disconnected to prevent potential power transmissions or wireless communications."
Plus, this has been known for 30/40 years in various forms. Peter Wright talks in Spycatcher of reading French diplomatic traffic (obviously much more satisfying than Russian) by picking up noise from the teletype upstream of their encryption device.
So this story is actually about keyboard manufacturers claiming to have "addressed" all the issues with leakage that came up during the 1980's and again in the 1990's, and now being found out to have lied, mislead and cheated about having made those changes?
Wow, I'm stunned that manufacturers who are not subject to any form of control or independent verification would have lied about such things. You mean we can't trust PR departments and sales organizations anymore? What's the world coming to?
Right then, let's see.
To make the demo "viable" they had to
0) use a relatively (electrically) quiet laptop connected to nothing except a keyboard, rather than a typical noisy desktop with a typical electrically noisy switched mode power suppy and a mains lead acting as a lovely wideband radiator
1) eliminate the wideband RF splatter from the laptop's switched mode mains power supply (nothing to do with their claim re leakage through the mains wires, don't be fooled)
2) shut the laptop lid to kill the wideband RF splatter from the inverter driving the LCD backlight (and so you can't see what's on the screen?????)
Even more interestingly, isn't the dialog between a PC and its keyboard in scancodes rather than characters, eg if you tell the OS the kbd is French not British, the very same keys that previously did "QWERTY" now do "AZERTY"? It's the OS wot knows wot the keys mean, the keyboard->host data effectively just reports which keys (in position terms) were pressed and/or released???? IE "the Q key on English keyboards produces the scancode (hex) 15. On French keyboards the same position is occupied by the 'A' key but the scancode remains 15." (from http://www.barcodeman.com/altek/mule/kbemulator/)
And as already noted, what's with the slow typing? Even I can type faster than that; surely the laptop has finished processing the character and gone back to being idle within a few ms (microseconds, even) of it being typed. Even the microcontroller in the keyboard is faster than that. Unless they're (for example) filling huge chunks of memory with specific patterns derived from the character seen by the app and using the emissions from *that* operation to "leak" what was typed. Or, Derren Brown distraction-style, using the time between keystrokes to encode what key they pressed; you *might* detect the changes in RF emissions from that!
And their definition of "viable" includes "partial recovery" of keys. Yeah well I can do that to an extent just by guessing, and predictive text entry is even better at guessing than I am!
Anyone smell fish yet?
"Maximal entropy" my arse (and yes I do have a clue what it might mean, as a physicist with a long term interest in signal processing). Let's come back once there's a peer reviewed version. Or once there's a Mythbusters version.
This post has been deleted by its author
if it could be possible to retune BlueTooth or Wireless to pick up the signal.
That will stop crazeey colin cracker having to get the sniffles on a cold day waiting outside businesses for people to type in the passwords. One password a quick wifi update and he or she could be out of there.
Think of the crackers, they are human too, they are not immune to the common cold.
Tempest was actually a NATO code word. All sorts of military kit, especially crypto, was built in screened metal boxes. There were tempest warning signs inside every little door that opened.
The problem exists but in an environment where you have a lot of keyboards, monitors, printers, computers and sundry other kit spewing out noise, it would be very difficult to pick out a single keyboard from 65 feet away. Essentially every clock and data bus is producing a comb of harmonics up into the tens of GHz range (I have measured it with a spectrum analyser in the past.). Low end consumer crap like iPods, CD and DVD players all spew out their share of noise which is why they don't like them on planes.
Well obviously it's trivial to shield the keyboard matrix. Just wrap those 3 plastic foils in aluminium foil. For the wire to the PC, I would simply encrypt it. The PS/2 standard specifies a bidirectional channel, perfect for any encryption. It's just a matter of software and firmware. In fact, as you already have a microcontroller on the PC end, you could even do it transparently to the rest of the system.
Surely if this were true, then the same sniffing practice could be done on an ATM, since they are basically a PC (alot of the time running XP Embedded).
So, an "attacker" could sit in their car with their Waltham sized antenna outside Tesco and get peoples PIN numbers with relative ease ? Then bruiser brian follows the victim round the corner, nabs the ATM card and can purchase / withdaw at their leisure !
Think also alarm panel keypads, door entry keypads etc.
Paris, cos she would never give off RF signals... just pheromones (sp?)
"Notice how slowly he typed "password". Not that I'm a particularly fast typer, but wonder if it works as reliably when someone is typing at a decent speed."
You haven't seen how slowly some people type....I've watched people type more slowly than this in real life. Although to be fair, unless you only had one PC anywhere in the nearby area, I don't see how this can be anything other than a cheap parlour trick so surely the interference from other devices would prevent them from getting any sort of reliable data.
"Yes!! It shows the password typed as being 'p3hjnsakmmn77slkjs*8wmbaojhkkd45rmmkbd'.....result!"
It's not too difficult to stop RF sniffing of keystrokes. It's even possible to stop an in-line sniffer from picking up sensitive data. I know! I was part of a team that did just that about 17 years ago. The project was developed for PCs acting as financial transaction terminals and the specs, which we had to meet, were savage. The technology worked well for over a decade. We had to pull a few tricks to prevent various forms of attack but with today's technology it would be almost trivial to do the same.
From what I learned of the subject at the time, I would say that it would take immense and costly effort to sniff even standard keyboards - and a lot of luck. Despite what most people think RF is a very uncooperative medium and and the world is a very noisy place for anything which uses it.
At the risk of standing on a soapbox, I would like to add that I am getting thoroughly sick and tired of various groups of idiot savants issuing grandiose warning about all manner of dangerous security breaches via press release or amateur-hour video footage. In the old days, if you had something to say about your discovery you hung it out in a peer review paper and allowed your fellow researchers to have a crack at it. Today, it seems that even serious researchers want to have their 15 minutes in the limelight. While they are alive that is!
Some of the cheap 1980's computers (the Atari ST was the only one I had the pleasure to take apart) had a metal shield enclosing the PCB to cut RF radiation sufficiently to pass emissions regulations; this acted as a simple Faraday cage.
Simply put the RF radiation is turned into electrical fields in the conductive metal shield rather than radiating through it.
So, a return to steel keyboard cases and doubly shielded cables with mil-spec metal connector hoods, and laptop docking stations will start coming with a sexy metal enclosure. All we need to do then is to solve the age-old leakave from the monitor signal and Robert is your Dad's Brother...
I'm with Frank Gerlach on this one. Go optical - cost (assuming volume production) shouldn't be much more than a current multimedia keyboard. Come to think of it, the you could use a fibre-optic cable for the monitor and mesh/foil wrap inside the monitor shell to attentuate that signal - should eliminate most of the problem, although not entirely.
I dont think I've read this much random stupidity from commenters in my entire life!
>Go optical - shyeah right, even if it would be done, companies would charge a small fortune.
>tinfoil hats/condoms/faraday shielding - prove then to me that it would definitively solve the problem. You could ramp it up with astronomical level sensitivity if you were really serious about sniffing keyboard traffic (govt etc).
>80s computers - NOT less susceptible because they're 80s kit, ie they operated with higher voltages and/or higher signal to noise ratios with huge clunky olde ICs and key action generally.
>keyboards xmit scancodes, not characters - SO WHAT! You know which country you're in, thats sufficient to do the translation.
>slow typing - like it would make a difference because our fingers are somewhat slower than your average signal processor.
.
Regardless of all this stuff and nonsense, I'm still having a spot of difficulty even believing these guys aren't just hoaxing everybody (so far the BBC, El-Reg and Hackaday.com plus more) bear in mind that simply pressing an electrical switch, ie one of your 100+ keys, it would be near impossible to discern individual keys just from switch bounce.
The only avenue I could think is to sniff the signal as its transmitted up the USB/PS2 wire. Somewhat unlikely imo. If this were possible, then why not skip snooping the keyboard all together and just go straight to your typical LAN cable instead? Same reasoning except maybe because LAN cables are twisted pair.
Or better still, why not bits of computer memory as they travel the busses of your motherboard!?
.
I do keep an open mind though, so I will reserve judgement until the paper comes out, but I don't think it should have been shouted quite this loudly (a lot of news coverage) at this point in time.
Now look here, numbnuts. Just because you know shit, doesn't mean everyone else is clueless.
Do you even know any of the signal strengths, radiation patterns, attenuation, interference or costs involved, or did you just make a few giant leaps of imagination and assumed you actually knew something?
It's cockheads like you that make doing business near bloody impossible sometimes - you THINK you understand something but don't and can't wait to feel powerful by making a decision NOW ...... despite that fact that almost everyone else in the building has more of a clue and you can't be buggered finding out.
So fuck off back to your Nintendo or Wii or whatever, where you can be master of your imaginary universe.
This post has been deleted by its author
T ransient E lectro M agnetic P ulse E mmision ST andard
Has been around for years. As has been mentioned it can be guarded against but at great cost and only to "selected" organisations.
They have blown this up a bit though as if data is that secure there will be other measures in place to protect it. Also if you want to track some keystrokes just look out of your office windows into that of another office and see whose computer keyboard is facing the window, get a pair of bino's and start scribbling.
All very good I am sure but April 1st really.
"You know which country you're in, thats sufficient to do the translation."
Have you ever travelled, or read about, anywhere out of state?
Switzerland, for example, where these folks are? Do you know how many different official languages they have in Switzerland? I'm thinking that French and German and Italian and Romansch languages are entirely plausible, and that French, German, and UK keyboards are all entirely possible in many places, or maybe the Swiss-French and Swiss-German variants of those keyboards (yes, I'm serious). They may well have a lot of letters in common, and given enough typing of real words in one of those languages (or maybe Englisch: "password"?) they could probably work out what scancodes are what letters, but as others have pointed out, there are likely easier and better ways.
Anyway, the main point on which anyone with a clue really agrees is that the audience is having the wool pulled over their eyes, and the clueless journalists and clueless commenters who don't understand How Stuff Works (tm) aren't really helping.
Please consider my subscription cancelled with immediate effect ;)
But you knwo what, somehow this story just isn't getting me worked into the sweaty psychotic (security minded) frenzy that it should. I know that in half the offices @ my work, if I lift the user's monitor, I'll find the post-it note with their username and password on it TAPED TO THE BLOODY BASE.
And at home, well I just can't see anyone who DOES want my passwords having this sort of kit.
Penguin, cos it reminds me of Carmageddon 2!
It was known in 1998 that a 1200mm coil could pick up keystrokes. Points handling sensitive data were surrounded in Faraday cages even though two years earlier Microsoft funded research at Oxford produced software that scrambled the signals given off by PCs. Unusually the software was freely available although I believe M$ now has a different approach to open source software.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
