Black Hat 2009: Powerline And Optical Keysniffing

sniff

The 2009 edition of the Black Hat security conference in Las Vegas has just begun. The first interesting talk we saw was [Andrea Barisani] and [Daniele Bianco]’s Sniff Keystrokes With Lasers/Voltmeters. They presented two methods for Tempest style eavesdropping of keyboards.

The first attack was against PS/2 keyboards. Inside the PS/2 cord, the data line isn’t shielded very well from the ground line, so all data could end up being transmitted back to the building’s electrical ground. The clock signal is also very slow compared to other signals generated by the computer. At about 10-16.7kHz, it should be easy to sample and filter out of the ground noise. They decided to monitor the ground line in an outlet 20meters from the keyboard in question. They used a ~150ohm resistor between the electrical ground and their reference ground. The reference ground was the building’s plumbing and is used to determine what’s actually noise in the electrical ground. They measured the voltage drop across the resistor and used finite impulse response to act as a bandpass filter for 1-20kHz. They were easily able to pick up the keyboard’s signal. It worked so well that they built a remote monitoring board that uses an AVR ATxmega128A1 to do the sampling and send the data over ethernet. In closing, they noted that USB uses differential signaling which should negate any leakage but the processor is more intensive and may end up being easy to pick up. They also stated that many ATMs are probably using PS/2 style keypads that leak this information.

For the second part of their talk, they covered using lasers to collect keystrokes. They pointed a laser at the back of a laptop lid and recorded the resulting vibrations just like a normal laser mic (closer to the hinge provided a cleaner signal). One of the first things they noticed was that the spacebar, being physically larger, created a very distinct signal that was much larger than all others. They used this information to determine where word breaks were. By comparing the captured waveforms to each other using dynamic time warping, they could determine the letter patterns. They then used these sequences with a dictionary to figure out what words had the same pattern and made sense in the same order. It worked quite well and they said it would go much faster if you can guess the context. They mentioned that logos on laptop lids were very reflective and worked well even in daylight and through glass.

You can find whitepapers and example code on their site.

21 thoughts on “Black Hat 2009: Powerline And Optical Keysniffing

  1. May I ask where one might acquire a laser ray gun, a tin foil hat and a suit of shining armor?
    On a similar note, does anyone know the directions to Hubert Farnsworth’s laboratory?

  2. everybody laughed when I built a server room *under* my bunker under my basement – … but who’s laughing now?

    (I don’t know who’s laughing because I can’t hear them when I’m typing in my server room three stories deep.)

  3. @tjhooker: If the ATM is using RS232 for the serial link then it’s probably just as vulnerable. RS232 is not differential either.
    It could even be more vulnerable as the baud rate has to be tightly regulated, meaning you can make your bandpass filter that much narrower.

  4. So pretty much every commercial building in the us has a power outlet or a water valve on the exterior of the building. Keeping that in mind, a small wireless box/device could be hidden under the cover and locked via the cover and data accessed covertly from a nearby vehicle or building? SWEET! I can’t wait to read the first article about someone taking advantage of this.

  5. Hmm, the whole thing does sound a bit farfetched, you’d have to get access to the power outlet near the computer and access to a ground 20 yards away to do this, but then why bother with such complex trickery if you have such access?
    It’s interesting as concept though.
    As for the laser mic, they should get a stereo signal, to determine position of the typing, preferably using only one laser to make it challenging :)

  6. @last post. Did you miss something between the article and my last post? The hack runs over the ground wire. Ground wires can be, or are generally attached to the plumbing due to their conductivity and path to the earth. 20 yards from an exterior water valve to an outlet is very feasible provided their hack works efficiently. Not to mention the fact that the hack could probably use some refinement and fine tuning to pull signals better.

  7. @nes: I’ve only been inside a few newer kiosk ones and one of the large housed ones that run embedded XP. The main board has no moduler sockets just pin headers so I couldn’t tell.

    The large ones at banks are well insulated and connected off the meter of the bank and bank phone lines. I think some use satcom, but most use vpn or some leased line metronet or whatever on custom protocols.

    I think this is as possible as inductor phone taps have been for decades.

  8. As an electrician, knowing how so many “electricians”, be them backyarders, self-accredited, or even ‘real’ ones who have “always done it that way”, dont understand the NEC code, let alone grounding…dont even get me started on neutrals, shared neutrals (ever see 200+ volts in a home from a shared neutral that came undone?)

    I guarantee unless this is done at an ATM in the middle of nowhere (meaning a gas station on its own node, no other buildings around), you could have an amazing amount of power running through ground, or high ground potential without tripping anything. Good luck hooking up anything to it.

    As far as Las Vegas being built by good electricians, I was at Defcon 19 (2011) and have TONS of pictures of things that I’m surprised havent killed anyone yet.

    I work in an old building, this is a common problem I deal with daily. I dont think we’ll ever find all of the faults.

    While this concept is amazing, and something I’d NEVER think of, I’ll put it on my “I wish” shelf.

Leave a Reply to TJHookerCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.