Affected, not effected… on both counts ;-)

Hmmmmm, cant quite see how you could distinguish different keys from nothing more than switch contacts. I can just about see how EM emanations could occur, just not how to distinguish which key was pressed.
Even if each key had a very specific ‘resonance’ emanation, how would you know which key was which without having prior access to that keyboard? And if you had it, you’d have to very carefuly work out which key ‘sounded’ a certain way and would take hours!
I’m thinking this is a hoax – in the first vid a very small program (netcat?) could have been running on the laptop simply WiFi-transmitting the keys to his supposed ‘decoder’ app. The oscilloscope is just there for ‘effect’.
Lets see about it when their paper is released but for now I’m quite skeptical.
Its not even april!

When they can manage to do the same thing in a noisy office environment with hundreds of keys being pressed all at once then I’ll worry.

if the electromagnetic radiation were that strong (which it isnt) it would seem to be another good reason to wrap your head in aluminum foil.

oh another thing…. heres how to prove this is false (no software required) 1.get a guitar pickup (any decent size coil will work) 2.plug it in to an amp. 3.hold it over your keyboard. 4. press different buttons….. do they make sound? do the keys sound different?

@Tallboots and Kurf
The guitar pickups should be strong enough to pick up the EMI produced from most any electronic.

Draping my keyboard wire over my pickups i do not get a distinct tone which is to be expected as it is digital signal. But i do get a click and watching it does have a distinct waveform.

This is clearly BS. First of all, all the keyboard wires are shielded in an aluminum wrap. No EM can escape the wires. Second of all, USB uses differential signaling, you wont be able to distinguish the EM waves. Third of all, do you know how much other stronger EM fields fly all over the room at any given time?! Jesus… I cant believe this stuff gets thrown around like this.

This better be a hoax… :-( !!!!

{Adjusts tin hat to a jaunty angle}
Presumably no one else is using a keyboard, within 65′, and I find it interesting that the camcorder doesn’t seem to cause any interference.

You would think even if there is a signal sent by a keyboard that you could pick up from what…”up to 65 feet away” you would end up with at least 3 to 300 diffrent keyboards stroking away at any given time. It looks like a great idea, but it would be very VERY hard to tell who is typing what, especialy if it only “decodes” 1 wpm and the avrage every day user types 75 wpm

@kurf (and rob)
a guitar pickup is plenty strong to hear interesting sounds in electronics. It picks up the magnetic field from a shaking metal guitar string after all…

Another experiment along the same lines: Take a “telephone pickup” (google it) and trace it around on your laptop, ipod, cellphone (make a call), florescent lights, motors, etc. and amplify the output. Lots of interesting sounds hidden in the electromagnetic fields of modern gadgets.

I wouldnt imagine that a keyboard would emit a tone… just a click because its a switch – Like rob found (above). Look at the scope in the video and you will see waveforms (peaks) that may be these clicks. BTW my guitar makes lots of noise around lots of electronics. Thats why i have sheilded cables and a humbucker…

Whether you “believe” these experiments or not, they are most certainly credible. Electronics emitting radiation that can give away secrets has known as a threat since 1943, and the NSA has specified protection against this kind of signal leakage (called TEMPEST shielding) in 1972.

Civilian researchers haven’t done too much in this field since it doesn’t have much practical application except in the spying business. However, Ross Anderson at Cambridge has done a lot of experiments especially with monitor leakage.

Here are some reasons that I find this completely credible.

0. Every electrical signal radiates some amount of energy.
1. Some keyboard cables (especially cheap ones) are not built with shielded wire.
1a. Shielding is not perfect. Cheap shielding is less perfect than expensive shielding. And shielding is usually designed to keep detrimental signals from entering the wire, rather than prevent good signals from leaking out.
2. The keyboard wire is not the only place where the RF may be emanating. It may be being generated on an unshielded chip or interface board, or it may be being emitted by the circuitry on the receiving computer.
3. Keyboard signals being transmitted from the keyboard to your computer are not in “parallel”, featuring one wire per button, they are converted from a bunch of switches into a digital signal (two or three bytes of data) and sent serially. The sniffer doesn’t detect the signals from the key switches themselves, but rather that processed serial data coming from the keyboard decoder chip.
3a. Keyboard digital signals are a very old protocol, so they are “chunky and big” signals compared to the much higher frequencies of USB. They’re really easy to spot on an oscilloscope.
3b. Almost all USB keyboards use the same electrical protocols as a PS/2 keyboard internally, and they convert the signal with a USB chip only for the wire to the computer interface. There is usually a tiny daughterboard tucked in at the cable connection that handles protocol and determines whether it’s a PS/2 or USB keyboard.
4. A proof-of-concept doesn’t mean this particular researcher has a practical attack that he could carry in his pocket or deploy in your apartment building, but it doesn’t exclude the possibility that a practical keyboard receiver exists, especially one from a well-funded professional or federal security agency.
5. Security attacks never get worse. If one guy can do this, that means others can too. And the NSA documented doing this 35 years ago.
6. An electrically noisy environment is no guarantee against a highly directional antenna and a discriminating receiver. Consider the visual equivalent: just because you can see a candle flame in isolation doesn’t mean you can’t see a candle sitting next to a fireplace.
7. There are far more practical attacks that most investigators would use to sniff a keyboard, such as a hidden video camera, key logging dongle, or malware.
8. The signals emitted may or may not have harmonics in the audible frequencies, so a guitar pickup and amplifier may or may not detect them, or would at most play a tiny click.
9. A guitar pickup is designed for the audible frequencies, which is one reason why you don’t hear broadcast AM radio stations over your pickups. And either it or your amp probably has a high pass filter to sink those kinds of interference — your speakers wouldn’t respond to 32kHz tones anyway — but you probably would detect a click.
10. His proof of concept shows only that his prototype software is reading one character per second typing speed. That does not mean that the software or hardware can’t be improved to process data faster or handle more data in a multiple keyboard environment. My first computer wouldn’t have driven a 1920×1280 monitor either. Hell, my first monitor was 40×12 (I didn’t have the money for the 2K RAM chips.) Technology improves, given enough time and money.

Whether or not you believe these present an actual threat to your own privacy, well, that’s up to you. (I’m not going to lose sleep over it.) But you should have no doubt that this is a real demo of a real leak.

I found this very old article linking to some interesting stuff as well.
http://news.zdnet.co.uk/security/0,1000000189,2082190,00.htm

If you’ve ever taken a PC Keyboard apart, most of the time you will find a little circuit board with the electronics in either the top left or top right portion and guess what? It’s not shielded! Now the mechanical keys make contact with a membrane which makes contact with a flexible circuit board (in a matrix array) and that part is often shielded. Well the the little circuit board has a chip that runs at a certain frequency and the matrix array of keys are “scanned” at a particular frequency, so theoretically you could capture the data from the chip or it’s surrounding electronics if you had sensitive enough and expensive equipment tuned to a specific frequency. So I’d say it’s possible…

¿GNU-Radio? Black box over spectrum analyzer is a USRP http://www.ettus.com/

Posible countermeasure: R.F. choke in keyboard cable

Sorry, another mistake. In 1a I was trying to say that we don’t know if the keyboard cable shielding was engineered or if someone just thought “if we put some foil in the cable insulation we can sell it as shielded cable.” We also don’t know if the shielding in these cables is properly grounded.

regarding the decoder ending after the desired data has been received:

who’s to say that he didn’t code the script to terminate after no more keypresses are detected after a certain amount of time?

there are too many variables to come to such hasty judgements. the site mentions they are in the process of submitting their paper to a peer-reviewed journal. after you read their paper, *then* you can start finding holes in their method. until that point, it is simply speculation

ok so its your skepticism versus their video… generally i’d side with the skepticism… *EXCEPT* that the concept is proven and has been around for half a century. this is not new! they are simply showing one of the first recent practical implementations that we’ve seen (who knows what has been done to this end in well-funded research labs, over the past 50 years)

game-set-match: you can be skeptic all you want, but you can’t truly judge until you read their details. until that point, the only confirmed evidence we have is that van eck phreaking is legitimate. therefore there is a higher probability that this is legit (i’m not judging though, it certainly could be fake)

Verified!

I’m in my RF lab right now and decided to give this a try. I took a quick look at the ps/2 protocol at http://www.computer-engineering.org/ps2protocol to find the clock frequency is in the range of 10-16.7kHz…that’s low enough to be audible! You can trigger a digital scope to capture the 11-bit frame, send it through GBIP, and process. I bet you get a lot of harmonics from the 60Hz that would clobber the receiver amp if not filtered. a b-field antenna, a modest adc, and little dsp magic on an fpga would get the job done.

This may or may not be real but from the looks of the program, it took forever to decode a 12 character string that was typed at 1 key/s. I don’t know about you all, but I type pretty darn fast for these transmissions to even register before the next key has bombarded the radiation. Plus, that looked like best case scenario with the computer in close proximity and no other radiation from power supplies, monitors, heck even cell phones. Give me a real world test in the middle of a park or in a internet cafe, cacheing someones typing. Then I’ll be worried about my “secrets” getting out into the world.

well, it looks like that bbc news believe it:

http://news.bbc.co.uk/1/hi/technology/7681534.stm

Now thats a hack lol

Pause the first video at 2:02 and analyse the output. It happily echoes “keystroke n acquired” but only up to n=11. Yet his test string comprised of 12 keystrokes, and yes, he started counting from 1. The summary line which follows then reports 12 traces acquired. I’d be extremely surprised if somebody with the intelligence to build this would be careless enough to code that bug into their script. In fact, you would have to code a loop quite awkwardly to achieve that.

I’m not disputing the theory of the hack. Merely that this is *not* a genuine video of it in progress.

The BBC should be ashamed of themselves reporting this. They would do well to spend a couple of hours watching the 2006 Ant & Dec movie Alien Autopsy.

Both this topic & a few others I’ve looked at recently, contain russian spam.
I thought comments were vetted?

two things about all those comments a power supply produces a very even hum which would be very very easy to filter out and a guitar pick up is not only capable of receiving am radio it will pick up fm inferred light (try it just point a tv remote at it you will be surprised) cb and yes router signals. try running a pickup without tone or volume knobs, the tone knob is actually a filter that changes the frequency response of the guitar. if you were to wire it strait to an unfiltered amp you get many different signals. a pickup dose not actually receive audio it generates tiny amounts of electricity like a small generator or a microphone. as for this being practical who’s to say but i believe it would work.

The company I work for gets payed by various government departments to provide tempest services. This includes tempest proofing of indivdual PCs, server racks or even entire rooms. Security related RF paranoia goes well beyond worrying about reading the data stream from a keyboard based on radiated emmissions. Hell, you can even get information being radiated from the power cable of a device if the psu has not been implimented properly.

I’m sure the results are accurate. Anyone remember TEMPEST? You can view someone’s SCREEN remotely if you know what you’re doing. However, it is clearly much more difficult in real-world environments (especially with the PC and monitor) as there would be heck of a lot more noise.

I’m not surprised at the results, as most keyboards these days are designed cheaply. In fact, it’s probably the biggest component on the computer which isn’t shielded (if you’ve ever opened up a brand-name computer or laptop, there is a heck of a lot of shielding material in it). Add the fact that you don’t have low power requirements, and there’s loads of switching currents and radiated EMI coming out of the keyboard.
It’s true that most of the detectable emissions don’t come from EMI; they most likely come from an intermediate processing step somewhere along the line.

We rely a hell of a lot more on security through obfuscation than we’d think. The truth is, even the most paranoid probably have forgotten to cover up some security hole.

Wouldn’t it be great if society just worked on an honor system?

This simply shows the proof of concept that Linus talks about from one of his early gigs as a network admin (orrr Bastard operator from hell type jorb): nothing is ever secure, for certain, beyond a doubt, ever, so there is no point in having passwords on an in-house network; everything that an “attacker” is interested in will be extracted by that individual if they really want it badly enough… that and the fact that anything recorded can be mass produced pretty easily… and a number of other things. You are using technology? Be prepared to get used back! :-)

I highly doubt this is real. The only possible way I could imagine reading the EMI from the keyboard cable would be to have absolutely everything else with an electrical signal in it turned off. I would think that a computer power supply with a capacitor filtered rectifier would add a hell of a lot of noise. Not only does it have 60Hz noise but then there are all the current harmonics it creates with the power factor distortion.

Still I dont write it off. Maybe if you had the receiver perfectly filtered with a non shielded cable with wire and antenna perfectly parallel and minimal electrical noise…

Maybe I should go down to Keytronics and ask if this is possible, hahah.

(I lives near Spokane, where Keytronics, a huge supplier in the Keyboard IC market, is based.)

After looking closer to the video I manage to find the program they used to decode the keystrokes:

http://optics.eee.nottingham.ac.uk/tek/source/tek/utils/tgetwf/

Actually it seems that they are using their own modified version but the printf banners are identical :)

if (count > 1) printf(“A total of %d traces were acquired.\n”,count);

printf(“%ld points acquired from source ‘%s’\n”,(long)(buf_size / 2), channel);

You can bet on that :)

Hello. And Bye.

Hi all,
I’m about to start writing a research paper on Tempest attacks and peoples attitudes towards them as potential attacks.
It would help me greatly if you could complete a questionnaire for me, it very brief and will be kept completely anonymous.
If you are willing to help please email me at:
i9099809 at bournemouth.ac.uk and i’ll send you the questionnaire (.doc fomat)

Thanks

Did anyone think about the possibility that the laptop is on and running the host side of a program like remote desktop allowing the actual keystrokes to be transmitted in real time to the other “test” computer and processed via a simple script? If that was the case…he could have walked out of one building…across the parking lot…into another building and into a Faraday sealed monitoring room and everything shown in the video would still look the same. I am just saying.

Hello, I just became part of this forum and I love the contribution of this community.

I would like to make a contribution of my own by posting a site I created informing users about computer repair. Online Computer Services

Also, this is worth taking a look at – Online Computer Services

There is lots of information regarding computer repair techniques and what one should do when prompted with certain instances.

Who knows where to ascertain a detach cardsharing server?
I bought a dreambox the other date, Setup CCcam. I’ve heard that Digital Vortex Cardsharing to be the get the better of situation on the reticle to perceive cardsharing resources.
They’ve got the emu toolbox, instal gbox-cccam.
With cardsharing being free, all needed is a free server.

Tamagotchi and the knock-off brands of digital pets. I remember people playing with these things obsessively in middle school. They were popular around 1998.

.