Keyboard sniffers to steal data

conceited

Keyboard sniffers to steal data


The attacks were shown to work at a distance of 20 metres

Computer criminals could soon be eavesdropping on what you type by analysing the electromagnetic signals produced by every key press.
By analysing the signals produced by keystrokes, Swiss researchers have reproduced what a target typed.
The security researchers have developed four attacks that work on a wide variety of computer keyboards.
The results led the researchers to declare keyboards were "not safe to transmit sensitive information".
Better attacks
The attacks were dreamed up by doctoral students Martin Vuagnoux and Sylvain Pasini from the Security and Cryptography Laboratory at the Swiss Ecole Polytechnique Federale de Lausanne (EPFL).
The EPFL students tested 11 different keyboard models that connected to a computer via either a USB or a PS/2 socket. The attacks they developed also worked with keyboards embedded in laptops.
Every keyboard tested was vulnerable to at least one of the four attacks the researchers used. One attack was shown to work over a distance of 20 metres.
In their work the researchers used a radio antenna to "fully or partially recover keystrokes" by spotting the electromagnetic radiation emitted when keys were pressed.
In a web posting they added: "no doubt that our attacks can be significantly improved, since we used relatively unexpensive equipments [sic]."
In videos showing their early work the researchers are seen connecting keyboards to a laptop running on battery power. They avoided using a desktop computer or an LCD display to minimise the chance of picking up signals from other sources.
Details of the attacks are scant but the work is expected to be reported in a peer-reviewed journal soon.
The research builds on earlier work done by University of Cambridge computer scientist Markus Kuhn who looked at ways to use electromagnetic emanations to eavesdrop and steal useful information.

http://news.bbc.co.uk/2/hi/technology/7681534.stm


Anyone know how this is done?

Angelo Pascal

the first research i read about this was carried out by dreamlab security, although it was probably discussed elsewhere in forums..etc

the article was called
We know what you typed last summer
Another one was by Luis Miras at blackhat last year ..don't have link, but search for:

New ways of being Pwned - Luis Miras

how to do it probably wouldn't be difficult for someone with electronic assembly / radio tech experience.

there are basic 27mhz receiver designs online, and you could probably buy one somewhere, if not, give the pcb designs/parts to someone in the know and have them build for you - pay someone.

edit: seems you could do it with USRP, IF you already have one..i know some here do.

conceited

I doin't think you read the article .
This is not wireless.

Angelo Pascal

Yes, thats true - i did not read it.

A quick skim to the comment: "fully or partially recover keystrokes" by spotting the electromagnetic radiation emitted when keys were pressed.

.. it sounds very much like other EM attacks we've read about over the years, like Van Eck

so, i guess they're filtering out the keys from the radio signals?

this is good paper about EM attacks from 1998.

Compromising emanations are not only caused directly by signal lines act-
ing as parasitic antennas. Power and ground connections can also leak high-
frequency information. Data line drivers can cause low-frequency variations in
the power supply voltage, which in turn cause frequency shifts in the clock;
the data signal is thus frequency modulated in the emitted RFI. Yet another
risk comes from `active' attacks [15], in which parasitic modulators and data-
dependent resonators aect externally applied electromagnetic radiation: an at-
tacker who knows the resonant frequency of (say) a PC's keyboard cable can
irradiate it with this frequency and then detect keypress codes in the retrans-
mitted signal thanks to the impedance changes they cause. In general, transistors
are non-linear and may modulate any signals that are picked up and retrans-
mitted by a line to which they are connected. This eect is well known in the
counterintelligence community, where `nonlinear junction detectors' are used to
locate radio microphones and other unauthorised equipment.

wouldn't be that surprised if they're using ettus boards + gnu radio libs to do the job..it could be done cheaper, but its the easiest option.

and the RF attacks on wireless keyboards are probably more effective.

Angelo Pascal

hey conceited, thought you might be interested to know this
for a laugh today, i got out a handheld scanner that covers AM frequency.

for the wireless keyboard i have by logitech, the transmission frequency was 27.140 Mhz AM

and for a wired mikomi mouse, it was at 30.265 Mhz AM emitting signals for the trackball and left/right clicks

probably wired keyboards are around same frequency..haven't tested any.

Angelo Pascal

just tried a wired USB keyboard..you can hear small blips here and there in between 20-40 Mhz, on 34mhz, atleast for this keyboard, it would give different pitched noises (very faint) for each of the keys..maybe some radio guru can investigate more.

EDIT: a PS2 keyboard seemed to have stronger signals emitted compared to USB..maybe its just this model, or all of them?

Black Swan

So what's the security solution? White noise or some other version of randomized transmissions that approximate keyboard emissions used to jam snoops?

Fergob

Get a Cordless 2.4Ghz Keyboard that is designed specifically for the business Market and offers encription from 64 bit - 128 bit


"Another benefit of Logitech 2.4 GHz Digital Cordless for Business is that it gives one of the fastest and most efficient cryptographic algorithms for keyboards and mice on today’s market. Thanks to a 64-bit equivalent, proprietary TEA encryption algorithm, Logitech 2.4 GHz Digital Cordless for Business shows itself to be highly resistant to differential cryptanalysis, making it very difficult to break, even for an experienced hacker."

Angelo Pascal

Thanks to a 64-bit equivalent, proprietary TEA encryption algorithm

Assuming they're talking about key sizes, TEA was designed to use 128-bit keys. The cryptanalysis carried out to date was against 128-bit keys..

resistant to differential cryptanalysis

128-bit TEA is resistant to differential cryptanalysis, but is 64-bit?

i wonder what implementation they're using and how a 64-bit key might affect the security.
how are the keys generated? do they change for the duration of keyboard use or if the computer restarts?
how does the computer know what key the keyboard is going to use?

there must be some agreed values and i doubt they're using a complex key agreement scheme when TEA is used.

i'd say brute force would be fairly quick against a 64-bit key, TEA is already implemented very fast..and there may be weaknesses in the implementation anyway.

btw Fergob, do you work for Logitech??
I read the document you quoted: http://www.logitech.com/images/pdf/emea_business/2.4ghz_white_paper.pdf
but couldn't find any reference to the keyboard offering 128-bit encryption.

Fergob

Hi Angelo,

yep i do, ( look through any of my previous posts and it's pretty clear !! )

wasn't specifically trying to push a logitech related product here but relating what i knew through our business products that were designed with security in mind.

to get back to the 128 bit encription, google the new Pro 2800 Desktop which has it..the article i was quoting from was about the Pro 2400 which has 64bit

Capt'n Midnight

screen the cables and add ferrites
metalic paint on the keys , lots of thin foil
you could hide in the white noise by as small noise generator say wiring three inverters in series and running off USB, best to have some white noise hissing from the speakers as you type too

they can also see what's on the screen of a CRT , not too sure if they can do with LCD

Oh and all those of you talking about encryption are missing the point the signals they are talking about wired keyboards. It's the electronic noise generated intenally when you press the keys.

The sound based attack simply used frequency analysis coupled with dictionary searches , 3 passes IIRC, to isolate the sounds of each key. You could do the same easily with elecronic noise.

Keyboards were based on an 8049 cpu so lots of spiles when it's busy and an unscreened cable would act like an aerial
http://en.wikipedia.org/wiki/Intel_8049

Who needs fancy electronic antenns ?
http://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. The idea is that different keys tend to make slightly different sounds, and although you don't know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing English text.