Researchers find ways to sniff keystrokes from thin air
That PC keyboard you're using may be giving away your passwords. Researchers say they've discovered new ways to read what you're typing by aiming special wireless or laser equipment at the keyboard or by simply plugging into a nearby electrical socket.
Two separate research teams, from the Ecole Polytechnique Federale de Lausanne
and security consultancy Inverse Path
have taken a close look at the electromagnetic radiation that is generated every time a computer keyboard is tapped. It turns out that this keystroke radiation is actually pretty easy to capture and decode -- if you're a computer hacker-type, that is.
The Ecole Polytechnique team did its work over the air. Using an oscilloscope and an inexpensive wireless antenna, the team was able to pick up keystrokes from virtually any keyboard, including laptops. "We discovered four different ways to recover the keystroke of a keyboard," said Matin Vuagnoux, a Ph.D. student at the university. With the keyboard's cabling and nearby power wires acting as antennas for these electromagnetic signals, the researchers were able to read keystrokes with 95 percent accuracy over a distance of up to 20 meters (22 yards), in ideal conditions.
Laptops were the hardest to read, because the cable between the keyboard and the PC is so short, making for a tiny antenna. The researchers found a way to sniff USB keyboards, but older PS/2 keyboards, which have ground wires that connect right into the electric grid, were the best.
Even encrypted wireless keyboards are not safe from this attack. That's because they use a special algorithm to check which key is pressed, and when that algorithm is run, the keyboard gives off a distinctive electromagnetic signal, which can be picked up via wireless.
Vuagnoux and co-researcher Sylvain Pasini were able to pick up the signals using an antenna, an oscilloscope, an analog-digital converter and a PC, running some custom code they've created. Total cost: about US$5,000.
Spies have long known about the risk of data leaking via electromagnetic radiation for about 50 years now. After the U.S. National Security Agency found strange surveillance equipment in a U.S. Department of State communications room in 1962, the agency began looking into ways that radiation from communications equipment could be tapped. Some of this research, known as Tempest
, has now been declassified, but public work in this area didn't kick off until the mid-1980s.
The idea of someone sniffing out keystrokes with a wireless antenna may seem ripped from the pages of a spy thriller, but criminals have already used sneaky techniques such as wireless video cameras placed near automated teller machines and Wi-Fi sniffers to steal credit-card numbers and passwords.
"If you are a company using highly confidential data, you have to know that the keyboard is a problem," Vuagnoux said.
If pulling keystrokes out of thin air isn't bad enough, another team has found a way to get the same kind of information out of a power socket. Using similar techniques, Inverse Path researchers Andrea Barisani and Daniele Bianco say they get accurate results, picking out keyboard signals from keyboard ground cables.