Black Hat 2009: Powerline and optical keysniffing
posted Jul 29th 2009 2:11pm by Eliotfiled under: cons, laser hacks, peripherals hacks
The 2009 edition of the Black Hat security conference in Las Vegas has just begun. The first interesting talk we saw was [Andrea Barisani] and [Daniele Bianco]‘s Sniff Keystrokes With Lasers/Voltmeters. They presented two methods for Tempest style eavesdropping of keyboards.
The first attack was against PS/2 keyboards. Inside the PS/2 cord, the data line isn’t shielded very well from the ground line, so all data could end up being transmitted back to the building’s electrical ground. The clock signal is also very slow compared to other signals generated by the computer. At about 10-16.7kHz, it should be easy to sample and filter out of the ground noise. They decided to monitor the ground line in an outlet 20meters from the keyboard in question. They used a ~150ohm resistor between the electrical ground and their reference ground. The reference ground was the building’s plumbing and is used to determine what’s actually noise in the electrical ground. They measured the voltage drop across the resistor and used finite impulse response to act as a bandpass filter for 1-20kHz. They were easily able to pick up the keyboard’s signal. It worked so well that they built a remote monitoring board that uses an AVR ATxmega128A1 to do the sampling and send the data over ethernet. In closing, they noted that USB uses differential signaling which should negate any leakage but the processor is more intensive and may end up being easy to pick up. They also stated that many ATMs are probably using PS/2 style keypads that leak this information.
For the second part of their talk, they covered using lasers to collect keystrokes. They pointed a laser at the back of a laptop lid and recorded the resulting vibrations just like a normal laser mic (closer to the hinge provided a cleaner signal). One of the first things they noticed was that the spacebar, being physically larger, created a very distinct signal that was much larger than all others. They used this information to determine where word breaks were. By comparing the captured waveforms to each other using dynamic time warping, they could determine the letter patterns. They then used these sequences with a dictionary to figure out what words had the same pattern and made sense in the same order. It worked quite well and they said it would go much faster if you can guess the context. They mentioned that logos on laptop lids were very reflective and worked well even in daylight and through glass.
You can find whitepapers and example code on their site.
*pulls out tin foil hat
neat stuff!