Do I understand correctly that these researchers are pulling the effects of parasitic capacitance off of ground, highly amplifying it and filtering out the non keyboard-originating signals?
Wouldn't the CPU and any other clock-driven components create a sea of noise on the ground plane that would drown out the keyboard signals? Wouldn't they have to sample those ground signals at at least twice the CPU clock rate (Nyquist, etc) ?
You can avoid aliasing in your sampling by using an analog low-pass filter before your ADC. However, you may still have to contend with aliasing occurring as a result of non-linearities in the transmission.
Their keyboard method sounds to me like it probably works on traditional (ps/2) style keyboards but would probably be much more complicated on USB keyboards where the data is encoded in USB packets.
Their laser-microphone method could probably be defeated by recording a sound file of random keystrokes and having the computer play that through speakers while performing critical tasks.
That seems to be what they're saying, but I'd agree with you that the likelihood that you could pull out the keyboard signals from the millions of other signals being generated are probably pretty close to zero.
From the article: "In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. "
Yeah, right...
Eavesdropping by bouncing lasers off of windows has been around for many years, and it can work... but also not very well: The adjustments are quite touchy, and you often have to do a fair amount of filtering to get anything resembling recognizable voice on the audio due to everything else that's vibarting the glass. Still, I saw this demonstrated a couple decades ago, so perhaps a lot of that filtering/voice recovery can now be automated with a PC running adaptive filters.
I imagine it's possible in clean room ideal conditions. But how would someone pull this off in the real world? Especially since most browsers remember passwords, the chances of you typing in a password these days are quite low.
Yep. And I've seen offices with little piezo transducers stuck in the middle of each window. To inject white noise, no doubt.
Once we know where the vulnerabilities are, it takes orders of magnitudes less dollars to plug the leaks than the technology to exploit them costs.
--
Paul Hovnanian mailto:Paul@Hovnanian.com
------------------------------------------------------------------
Life is like a buffet. Its not very good but there\'s plenty of it.
Their example of a hotel room is silly for starters, people use notebooks when travelling so the method does not apply. And most external keyboards and mice are USB or wireless now which is a different kettle of fish.
The laser keyboard vibration thing is baloney, you'd have to calibrate the system for each individual keyboard and person combo, and even then the variations in practice would be horrendous.
Dave.
--
================================================
Check out my Electronics Engineering Video Blog & Podcast:
http://www.alternatezone.com/eevblog/
It's simple enough to test. Record the sound of yourself typing and see what you can retrieve from the analysis. Don't need no steenking lasers to do that much.
Not that I believe any of this tinfoil bait, but for spooks to get information they wouldn't necessarily have to know apriori which keys made which sounds. If there indeed were a difference, one can deduce the keys by their frequency and order. That said, I expect to see this on one of the TeeVee spook shows in the next couple of weeks.
Apparently so, at least that's how I read their claims.
This sounds like the modern versions of Tempest, where a van outside a building could receive a signal from a CRT from not only the horizontal and vertical sync signals it inadvertently transmits, but also from the variations in CRT beam current as it displays info on the screen. Thus there were "secure" CRT terminals made with a great amount of electrostatic shielding built in.
In the '90's I read (in some trade mag, maybe EE TImes or Electronic Design) about decoding what instructions a processor (as in a microcontroller with built-in, external-read-protected code ROM) was executing by reading the current draw in the VCC pin, which apparently had a unique value for each instruction.
I would certainly think so, and most especially the switching power supply would 1. insert its own relatively large level of hash and noise, 2. have substantial filtering (the input rectifier capacitor, the output switching-rectifier capacitors, AND the EMC filter at the power entrance) so that what goes on inside it, and what goes on on the computer side don't easily get sent out the power cable as EMI.
Even so, the CPU may be be executing loops that generate signals at the frequencies of the keyboard bitrate. I can't think of why the keyboard signal would be any more easily identifiable than any of the other signals going on inside and into and out of a PC.
This is all "plausible" in a Mission Impossible way, but I'd have to test it out myself and see it to truly believe it.
I suppose, like the not-well-shielded CRT, these are "compromising emanations" and fall under the TEMPEST buzzword. Google easily brings up relevant links:
Keyboard I/O and display retrace were what the Gubmint Tempset boys were put to work to mute.
On the old standard I/O keyboards from the AT days, one could read your keystrokes from 150 feet away, with the right equipment.
With USB, it would be similar, except that the interface standard uses smaller signals than the AT boys did, and the cables are probably better shielded.
LCDs do not have retrace to capture, so screens are safer now than they were then, but they are still very wary of emissions, and the Tempest compliance specs are still in place.
A keyboard would be easy to pick out from ALL other USB devices because of the fact that its signals would have easily identifiable characteristics about it. Even a mouse has far more data than a simple keyboard that only feeds a word when a key is pressed, and only feeds a specific set of "words".
I'm not a crypto freak but even I once played with tuning an AM radio into the noises generated by an early computer and listening to the changes caused by various types of operation.
I picked up various timing loops but I was amused at picking up keystrokes and disk drive activity.
That was about 30 years ago before switching PS's.
Back in the day, there was a Digital Group demo (on Suding format audio tape, of course) that would "play" The Stars and Stripes Forever over AM radios (*all* over the AM band) by chugging through different loops that were tuned to audio frequencies. All while drawing an ASCII-art flag on the 64 X 16 monitor. Ahh, those were the days!
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.