Eavesdrop on keyboards wirelessly

Every time you press a key on your keyboard, a small burst of electromagnetic radiation is let out. This radiation can be captured and decoded. Though it only affects some models, this is pretty serious. They tested 11 different keyboards and they were all vulnerable to at least one of the four methods of attack. Tests have shown that the data can be read through walls and up to 65 feet away. That is pretty scary stuff. Someone could be setting up in the apartment or office right next to yours to listen to every keystroke you type.  Check out the second video after the break.

They don’t give a list of what keyboards were affected. Their paper is currently being finished, and should be published soon. The possibility of this attack was suggested to us a couple years ago when we covered old school Van Eck phreaking.

[via Engadget]

Comments

  1. Xcorpio says:

    Affected, not effected… on both counts ;-)

  2. Cactus says:

    They seemed reluctant to keep the computer and LCD hooked up. I would have expanded on the experiments by trying a desktop in addition to the laptop. The only real protection for this might possibly be overwhelming background radiation.That or lining your keyboard with aluminum foil. I’d like to see just how accurate this can be in real world scenarios.

  3. Stu says:

    Hmmmmm, cant quite see how you could distinguish different keys from nothing more than switch contacts. I can just about see how EM emanations could occur, just not how to distinguish which key was pressed.
    Even if each key had a very specific ‘resonance’ emanation, how would you know which key was which without having prior access to that keyboard? And if you had it, you’d have to very carefuly work out which key ‘sounded’ a certain way and would take hours!
    I’m thinking this is a hoax – in the first vid a very small program (netcat?) could have been running on the laptop simply WiFi-transmitting the keys to his supposed ‘decoder’ app. The oscilloscope is just there for ‘effect’.
    Lets see about it when their paper is released but for now I’m quite skeptical.
    Its not even april!

  4. macegr says:

    stu: Van Eck phreaking has been around for a long time, and it’s pretty much the same concept here. It’s amazing how many ways there are to snoop on someone’s computer. Right before CRTs went out of style, someone even managed to recover screen images by measuring the varying light in a room and syncing it up to the cathode ray scan.

  5. kurf says:

    When they can manage to do the same thing in a noisy office environment with hundreds of keys being pressed all at once then I’ll worry.

  6. kurf says:

    plus your power supply is emitting a whole lot more electromagnetic radiation then your keyboard.

  7. @Xcorpio Fixed. We’re still teaching Caleb about nouns and verbs.

  8. Rob says:

    I recall reading somewhere about a similar project but it used the sounds of the keys being pressed as each key potentially makes a differnt sound.

    Stu i think this could be possible but if he is worried about interference from a dc power supply I dont know reliable it would be. he would be going crazy if he was sniffing someplace with more then one keyboard

  9. tallboots says:

    if the electromagnetic radiation were that strong (which it isnt) it would seem to be another good reason to wrap your head in aluminum foil.

    oh another thing…. heres how to prove this is false (no software required) 1.get a guitar pickup (any decent size coil will work) 2.plug it in to an amp. 3.hold it over your keyboard. 4. press different buttons….. do they make sound? do the keys sound different?

  10. kurf says:

    @tallboots a guitar wouldn’t help in deciding if this false. does you guitar make a sound when you stand next to your wireless router?

  11. Rob says:

    @Tallboots and Kurf
    The guitar pickups should be strong enough to pick up the EMI produced from most any electronic.

    Draping my keyboard wire over my pickups i do not get a distinct tone which is to be expected as it is digital signal. But i do get a click and watching it does have a distinct waveform.

  12. millertyme says:

    Interesting, thanks for sharing that. :)

  13. Hugo says:

    This is clearly BS. First of all, all the keyboard wires are shielded in an aluminum wrap. No EM can escape the wires. Second of all, USB uses differential signaling, you wont be able to distinguish the EM waves. Third of all, do you know how much other stronger EM fields fly all over the room at any given time?! Jesus… I cant believe this stuff gets thrown around like this.

  14. Sp`ange says:

    would it even matter if you lined your keyboard with tinfoil if you didn’t shield the cable as well?

    sidenote: read “Cryptonomicon” by Neil Stephenson

  15. Satiagraha says:

    This better be a hoax… :-( !!!!

  16. Adam says:

    who the hell types 1 keystroke every second, I know he is just trying to show us what he typed but most people out there type a lot faster then this guy did, my guess is that if this really works, it wouldn’t be able to pick up someone typing around 200 wpm.

  17. Dubularity says:

    {Adjusts tin hat to a jaunty angle}
    Presumably no one else is using a keyboard, within 65′, and I find it interesting that the camcorder doesn’t seem to cause any interference.

  18. Adam Ziegler says:

    Um… why does the program just happen to terminate when the last key stroke is ‘decoded?’ A timeout? maybe, but why doesn’t it time out when the camera guy take an incredibly long time to start pressing keys in the second video.

    Just seems odd.

  19. &%unkn0wn says:

    You would think even if there is a signal sent by a keyboard that you could pick up from what…”up to 65 feet away” you would end up with at least 3 to 300 diffrent keyboards stroking away at any given time. It looks like a great idea, but it would be very VERY hard to tell who is typing what, especialy if it only “decodes” 1 wpm and the avrage every day user types 75 wpm

  20. matt says:

    fake…

  21. tallboots says:

    @kurf (and rob)
    a guitar pickup is plenty strong to hear interesting sounds in electronics. It picks up the magnetic field from a shaking metal guitar string after all…

    Another experiment along the same lines: Take a “telephone pickup” (google it) and trace it around on your laptop, ipod, cellphone (make a call), florescent lights, motors, etc. and amplify the output. Lots of interesting sounds hidden in the electromagnetic fields of modern gadgets.

    I wouldnt imagine that a keyboard would emit a tone… just a click because its a switch – Like rob found (above). Look at the scope in the video and you will see waveforms (peaks) that may be these clicks. BTW my guitar makes lots of noise around lots of electronics. Thats why i have sheilded cables and a humbucker…

  22. ryan says:

    if this is real, i’m going to need a lot more evidence than this to convince me. honestly, if they really had something, they would have spent a lot more of their time getting something published and a lot less time with these sickeningly overprofessional videos. even if there is some potential security risk in em emissions from electronics, i don’t think these guys are any closer to exploiting it then my cat is.

  23. jaded says:

    Whether you “believe” these experiments or not, they are most certainly credible. Electronics emitting radiation that can give away secrets has known as a threat since 1943, and the NSA has specified protection against this kind of signal leakage (called TEMPEST shielding) in 1972.

    Civilian researchers haven’t done too much in this field since it doesn’t have much practical application except in the spying business. However, Ross Anderson at Cambridge has done a lot of experiments especially with monitor leakage.

    Here are some reasons that I find this completely credible.

    0. Every electrical signal radiates some amount of energy.
    1. Some keyboard cables (especially cheap ones) are not built with shielded wire.
    1a. Shielding is not perfect. Cheap shielding is less perfect than expensive shielding. And shielding is usually designed to keep detrimental signals from entering the wire, rather than prevent good signals from leaking out.
    2. The keyboard wire is not the only place where the RF may be emanating. It may be being generated on an unshielded chip or interface board, or it may be being emitted by the circuitry on the receiving computer.
    3. Keyboard signals being transmitted from the keyboard to your computer are not in “parallel”, featuring one wire per button, they are converted from a bunch of switches into a digital signal (two or three bytes of data) and sent serially. The sniffer doesn’t detect the signals from the key switches themselves, but rather that processed serial data coming from the keyboard decoder chip.
    3a. Keyboard digital signals are a very old protocol, so they are “chunky and big” signals compared to the much higher frequencies of USB. They’re really easy to spot on an oscilloscope.
    3b. Almost all USB keyboards use the same electrical protocols as a PS/2 keyboard internally, and they convert the signal with a USB chip only for the wire to the computer interface. There is usually a tiny daughterboard tucked in at the cable connection that handles protocol and determines whether it’s a PS/2 or USB keyboard.
    4. A proof-of-concept doesn’t mean this particular researcher has a practical attack that he could carry in his pocket or deploy in your apartment building, but it doesn’t exclude the possibility that a practical keyboard receiver exists, especially one from a well-funded professional or federal security agency.
    5. Security attacks never get worse. If one guy can do this, that means others can too. And the NSA documented doing this 35 years ago.
    6. An electrically noisy environment is no guarantee against a highly directional antenna and a discriminating receiver. Consider the visual equivalent: just because you can see a candle flame in isolation doesn’t mean you can’t see a candle sitting next to a fireplace.
    7. There are far more practical attacks that most investigators would use to sniff a keyboard, such as a hidden video camera, key logging dongle, or malware.
    8. The signals emitted may or may not have harmonics in the audible frequencies, so a guitar pickup and amplifier may or may not detect them, or would at most play a tiny click.
    9. A guitar pickup is designed for the audible frequencies, which is one reason why you don’t hear broadcast AM radio stations over your pickups. And either it or your amp probably has a high pass filter to sink those kinds of interference — your speakers wouldn’t respond to 32kHz tones anyway — but you probably would detect a click.
    10. His proof of concept shows only that his prototype software is reading one character per second typing speed. That does not mean that the software or hardware can’t be improved to process data faster or handle more data in a multiple keyboard environment. My first computer wouldn’t have driven a 1920×1280 monitor either. Hell, my first monitor was 40×12 (I didn’t have the money for the 2K RAM chips.) Technology improves, given enough time and money.

    Whether or not you believe these present an actual threat to your own privacy, well, that’s up to you. (I’m not going to lose sleep over it.) But you should have no doubt that this is a real demo of a real leak.

  24. kurf says:

    The more and more I plot this in my head, the more I come to the conclusion that it’s not bunk. I don’t really like the experimenting this group did, however, if a keystroke does in fact emit a distinct electromagnetic wave then with the right antenna and filters all the other junk can be sifted through.

  25. kurf says:

    I found this very old article linking to some interesting stuff as well.

    http://news.zdnet.co.uk/security/0,1000000189,2082190,00.htm

  26. NNM says:

    VERY NICE…
    But disconnecting everything is probably necessary to avoid other signals?
    This looks like it really depends on an electromagnetic silence around… Any type of electronic equipment would scramble the signal??
    But the experiment shows it’s possible. Filtering out “noise” might be really, REALLY hard, but possible…

  27. Thinkster says:

    If you’ve ever taken a PC Keyboard apart, most of the time you will find a little circuit board with the electronics in either the top left or top right portion and guess what? It’s not shielded! Now the mechanical keys make contact with a membrane which makes contact with a flexible circuit board (in a matrix array) and that part is often shielded. Well the the little circuit board has a chip that runs at a certain frequency and the matrix array of keys are “scanned” at a particular frequency, so theoretically you could capture the data from the chip or it’s surrounding electronics if you had sensitive enough and expensive equipment tuned to a specific frequency. So I’d say it’s possible…

  28. kurf says:

    @thinkster

    I agree with you, again I’m not to sure about these experimenters, but this is defiantly possible, albeit less practical.

  29. superlopez says:

    ¿GNU-Radio? Black box over spectrum analyzer is a USRP http://www.ettus.com/

    Posible countermeasure: R.F. choke in keyboard cable

  30. nocker says:

    he disconnected the power supply to remove the possibility that the transmission he was picking up was rf leakage through the electrical system, not to weed out that same noise.

    it may be much easier to sort out 200 distinct keyboards at once than you’d think, does each one have unique frequency characteristics (think about the dust patterns of digital cameras) that a well programmed decoder could isolate? maybe it would all turn into white noise, but isn’t relying on that just security through obfuscation?

    *starts drafting design for a tin-foil-hat-noise generator*

  31. jaded says:

    Sorry, another mistake. In 1a I was trying to say that we don’t know if the keyboard cable shielding was engineered or if someone just thought “if we put some foil in the cable insulation we can sell it as shielded cable.” We also don’t know if the shielding in these cables is properly grounded.

  32. hackist says:

    It’s an interesting idea, obviously inspired by Van Eck Phreaking but nobody can can give a satisfactory explanation as to why the ‘decoder’ stops listening after it captures the last keystroke, as Adam Ziegler commented above.

    The whole endeavour looks like nothing but a cheap stage show and a bash script to me.

  33. alexfox says:

    regarding the decoder ending after the desired data has been received:

    who’s to say that he didn’t code the script to terminate after no more keypresses are detected after a certain amount of time?

    there are too many variables to come to such hasty judgements. the site mentions they are in the process of submitting their paper to a peer-reviewed journal. after you read their paper, *then* you can start finding holes in their method. until that point, it is simply speculation

    ok so its your skepticism versus their video… generally i’d side with the skepticism… *EXCEPT* that the concept is proven and has been around for half a century. this is not new! they are simply showing one of the first recent practical implementations that we’ve seen (who knows what has been done to this end in well-funded research labs, over the past 50 years)

    game-set-match: you can be skeptic all you want, but you can’t truly judge until you read their details. until that point, the only confirmed evidence we have is that van eck phreaking is legitimate. therefore there is a higher probability that this is legit (i’m not judging though, it certainly could be fake)

  34. Sys Admn says:

    even cold war era typewriters had countersurveillance mechanisms built into them. included in the exhibit is an ibm selectric typewriter. it coupled a motor to a mechanical assembly, so pressing different keys caused the motor to draw different amounts of current that were specific for each key. close measurements of the current could reveal what was being typed on the machine. to prevent these measurements, state selectric typewriters were equipped with “inertia” motors connected to a large flywheel. the spinning flywheel absorbed the stress of the mechanical assembly and masked the keys being typed.

    http://www.gcn.com/blogs/tech/46710.html

    Another form of monitoring “radiation” to determine what is being typed –
    li zhuang, feng zhou, and doug tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. the idea is that different keys tend to make slightly different sounds, and although you don’t know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing english text. (presumably it would work for other languages too.

    http://www.freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information

  35. Cossist says:

    Verified!

    I’m in my RF lab right now and decided to give this a try. I took a quick look at the ps/2 protocol at http://www.computer-engineering.org/ps2protocol to find the clock frequency is in the range of 10-16.7kHz…that’s low enough to be audible! You can trigger a digital scope to capture the 11-bit frame, send it through GBIP, and process. I bet you get a lot of harmonics from the 60Hz that would clobber the receiver amp if not filtered. a b-field antenna, a modest adc, and little dsp magic on an fpga would get the job done.

  36. kurf says:

    @cossist

    Take a video and we’ll start this same post all over again. Nice job.

  37. Jeremyvnc says:

    This may or may not be real but from the looks of the program, it took forever to decode a 12 character string that was typed at 1 key/s. I don’t know about you all, but I type pretty darn fast for these transmissions to even register before the next key has bombarded the radiation. Plus, that looked like best case scenario with the computer in close proximity and no other radiation from power supplies, monitors, heck even cell phones. Give me a real world test in the middle of a park or in a internet cafe, cacheing someones typing. Then I’ll be worried about my “secrets” getting out into the world.

  38. M4CGYV3R says:

    This is the same as a TEMPEST screen-reading attack which operates on the principle that your monitor has a digital signal coming into it and if you can induce the signal, amplify it, and redisplay on your own monitor, you can read someone else’s monitor remotely. Obviously, there’s a pretty limited range.

  39. Mr Dan says:

    well, it looks like that bbc news believe it:

    http://news.bbc.co.uk/1/hi/technology/7681534.stm

  40. supershwa says:

    Impressive. BBC posted some news about this on their website too. I’ll be interested in reading more about this when the report is completed.

  41. blizzarddemon says:

    Now thats a hack lol

  42. kurf says:

    Wow, interesting that bbc has an article on it, I don’t doubt this is possible but when is someone going to contact these guys? There’s a lot of misconception about about our understanding of RF. We all need to do some research on frequency resonance. You can pick out any specific frequency you want regardless of other noise!

  43. hackist says:

    Pause the first video at 2:02 and analyse the output. It happily echoes “keystroke n acquired” but only up to n=11. Yet his test string comprised of 12 keystrokes, and yes, he started counting from 1. The summary line which follows then reports 12 traces acquired. I’d be extremely surprised if somebody with the intelligence to build this would be careless enough to code that bug into their script. In fact, you would have to code a loop quite awkwardly to achieve that.

    I’m not disputing the theory of the hack. Merely that this is *not* a genuine video of it in progress.

    The BBC should be ashamed of themselves reporting this. They would do well to spend a couple of hours watching the 2006 Ant & Dec movie Alien Autopsy.

  44. DarkFader says:

    I bet he’s typing so loudly to be able to narrow down the timeslots in which he has to filter the data. Which is fine for a proof-of-concept. But we all know it’s possibly anyway.

  45. Doug says:

    Both this topic & a few others I’ve looked at recently, contain russian spam.
    I thought comments were vetted?

  46. Sam says:

    Build a Faraday cage around the internals of your keyboard and put as many ferrite beads as you are comfortable using on the cord. Problem solved. The Faraday cage will pick up stray EM emissions and cancel them out. Ferrite beads convert the interference that is being broadcast by cables to heat energy (not much) and dissipates it. Many of you have already seen ferrite beads – they are encased in plastic and often found attached to the ends of cables on various kinds of computer equipment (the end of the power adapter that plugs into a laptop is a good place to look).

    A Faraday cage that many of you already have in your home is the screen on the front of your microwave oven. The holes are big enough for light to pass through (so you can observe what you are cooking) but not big enough to allow microwave radiation through. Put your cellular phone in the microwave (don’t turn it on or forget that you put it in there) and call it. If it does not ring, the Faraday cage in your microwave is working as it should and preventing microwaves from entering or leaving the enclosure.

  47. drew says:

    two things about all those comments a power supply produces a very even hum which would be very very easy to filter out and a guitar pick up is not only capable of receiving am radio it will pick up fm inferred light (try it just point a tv remote at it you will be surprised) cb and yes router signals. try running a pickup without tone or volume knobs, the tone knob is actually a filter that changes the frequency response of the guitar. if you were to wire it strait to an unfiltered amp you get many different signals. a pickup dose not actually receive audio it generates tiny amounts of electricity like a small generator or a microphone. as for this being practical who’s to say but i believe it would work.

  48. Bill says:

    Why did the monitoring program stop running at the end of the phrase?

  49. G2 says:

    The company I work for gets payed by various government departments to provide tempest services. This includes tempest proofing of indivdual PCs, server racks or even entire rooms. Security related RF paranoia goes well beyond worrying about reading the data stream from a keyboard based on radiated emmissions. Hell, you can even get information being radiated from the power cable of a device if the psu has not been implimented properly.

  50. TS_E says:

    Thanks Jaded. Completely correct. This technology is, and has been for quite some time, a reality. The experiment conducted in the video uses somewhat less sophisticated techniques than what is in current use.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,010 other followers