Remotely Eavesdropping on Keyboards

The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They’ve outline four separate attack methods, some that work at a distance of as much as 65 feet from the target.

In one video demonstration, researchers Martin Vuagnoux and Sylvain Pasini sniff out the the keystrokes typed into a standard keyboard using a large antenna that’s about 20 to 30 feet away in an adjacent room.

Website here.

Tags: key logging, privacy, side-channel attacks, surveillance

Posted on October 23, 2008 at 12:48 PM • 44 Comments

Comments

Matt Simmons • October 23, 2008 1:25 PM

Toggle switches on the front panel, anyone?

Seriously though, tempest isn’t new. If it’s been possible for a long time to decode video, keyboard traffic shouldn’t be too difficult.

Alan • October 23, 2008 1:32 PM

It does sound like an escalation of tempest.

What sort of shielding would prevent this? Is it beyond the capabilities of the average hardware hacker?

A nonny bunny • October 23, 2008 1:38 PM

Wouldn’t a Faraday cage always work in such a situations?
Or you could transmit noise on the same frequency.

Clive Robinson • October 23, 2008 1:49 PM

This is very very old hat stuff.

If you think back to the 1980’s Van Eck scared a lot of people with his sync regeneration system.

In the 1990’s I developed a microwave system using 10Ghz traffic radar equipment that could lift active signals of smart cards like the digital wallet systems. I extended this to read data from plastic tamper proofed hand held gambaling boxes.

And I passed some info on this over to Ross Anderson at the Camb Labs, when he was looking at self syncronising logic to try to get around Power Supply Analysis issues.

And as far as I’m aware some of his students practiced with VHF sources and PC Keyboards getting the rf signal re-modulated by the keyboard data. Which Ross wrote about in his book on security engineering.

As for TEMPEST remember the basic rules are,

1, Limit the signal power
2, Limite the available bandwidth.
3, Clock you data inputs
4, Clock you data outputs
5, On any error abort and re-start.

The first two have been known about for years and are also the basis of EMC specs.

The last three help stop information leak by time based side channels etc.

There are some other less known rules but those cover 90% of what needs to be done.

Aoi • October 23, 2008 2:21 PM

I remember some of this from “Cryptonomicon” by Neal Stephenson, and more from other sources. The solution is simple: do your computer work underground on a remote island populated with vicious beasties (think Lost, but without the “Others”). That might be somewhat secure.

Dom De Vitto • October 23, 2008 2:25 PM

This has to be, once you’ve got a working van-containable rig, the easiest way to get login credentials.

If you’re quick/automated, you could even login to someone’s internet banking – by sniffing the keystrokes, and hitting ‘submt’ before they do… 🙁

That would even bypass use of chip-n-pin authenticators, or other OTP devices 🙁

I best get my shielded, fibre-tailed keyboard out from the cupboard… 🙂

Dom

fuchikoma • October 23, 2008 2:46 PM

Another reason I dream of building a computer/theatre room in a soundproofed Faraday cage, with filters on any power or network lines going outside the cage. :/

Ideally that shouldn’t even be a concern, but… when is reality ideal?

RH • October 23, 2008 2:52 PM

@fuchikoma not filters – one filter. just get a big granite flywheel, motor, and a generator on the other side. Lowpass to the EXTREME, on a DC signal =p

And remember “The only computer that is truly safe is disconnected from the network, powered down, unplugged, burried in a concrete lined bunker with armed guards 24/7… and even then I’d check it every once in a while.” i think that was Mitnick

RH • October 23, 2008 2:53 PM

Also, I saw this yesterday, and I was wondering if they didn’t just make their life easier by removing the computer… how much interference did they remove from the system?

Bob • October 23, 2008 2:55 PM

I use an Apple Wireless Bluetooth keyboard. I don’t think they can decrypt that signal.

bob • October 23, 2008 3:22 PM

@Bob: but thats the transmission data path, what about signals generated internally to the keyboard, before they’re encrypted? At some point very close to the keyswitch, an “A” is always going to be an “A”.

I remember in the ’70s they were able to decode IBM Selectric (electromechanical; no semiconductors at all) typewriter emanations.

A faraday “keyboard condom” similar to those spillproof types should stop it.

James • October 23, 2008 3:22 PM

@Bob,

If you remember back, there is also a demonstrated attack that profiles the unique sound profile each key strike makes to determine what you typed.

The paper by Li Zhuang, Feng Zhou, and Doug Tygar, “Keyboard acoustic emanations revisited” was written in 2005 and got a lot of press at the time.

Deron Meranda • October 23, 2008 3:51 PM

Just use a Dvorak keyboard layout. They’ll never be able to figure out the resulting substitution cipher.

MailDeadDrop • October 23, 2008 3:55 PM

Given that the first test’s test phrase is “Trust no one”, and that in both tests curiously the detection apparatus seemed to know precisely how many characters were pressed in the test (i.e. it knew when to stop), I’m inclined to believe this is a hoax.

Clive Robinson • October 23, 2008 3:59 PM

@ James, bob,

Speaking of remembering back…

Did either of you read the redacted copies of the NSA house magazine that where released not so long ago (copies held at cryptome.org)

There was one on TEMPEST and the only bits redacted that where of great curiosity where those to do with seismograph?

So NSA can read vibrations through the ground…

So when we say “limit energy in the signal” remember not to hit the keys to hard as it’s note just sound energy you are creating but little earthquakes 8)

rubberman • October 23, 2008 4:32 PM

In the late 70’s a friend of mine with an MS in Physics got a job with Zenith, and one of his first projects was to design a Tempest-compliant terminal. Analysis showed that the cable between the keyboard and system box was the biggest vulnerability. He solved that by using a passive light source in the keyboard and fiber-optic cable to the CPU. The keys were basically shutters that broke the light source transmitted to the decoder in the heavily shielded system box. His claim to fame in this was the fact that he built the complete prototype in 90 days that passed the full Tempest suite on the first try.

Clive Robinson • October 23, 2008 5:11 PM

Although the articles do not say how the evesdroping was accomplished, certain assumptions can be made.

First off it is known that most PC Keyboards have a microcontroler that scans an array of wires internal to the keyboard that are connected to the individual keys.

What is not generaly known is that if you put a squarewave signal onto a conductor it acts like an antenna and will effectivly couple a harmonic of the scanning signal into freespace as either a voltage or current wave depending on if there are no closed keys on the line (voltage) or a key closed (current).

These waveforms can be easily picked up with an appropriate antenna adjacent to the keyboard. The use of three orthaganol bar type antennas will alow directionality and other discrimination to be used.

However the key scan signal for various reasons is not the signal of choice for eavesdroping an old style PC keyboard (although it may be the only option for laptops and USB keyboards).

In the old style (P/S2 and before) keyboards, when the keyboard microprocessor detects a key press it repeatedly re-scaned the key to remove keybounce and to detect if the user wanted multiple key pressess sent to the PC. The microprocessor would encode the key pressed information from the key matrix and then send it off via the keyboard lead to the PC every 18mS or so via just a couple of wires as a serial data signal.

This serial data signal is very well documented and fairly easily found on the Internet along with other info about connector pin information etc.

Now this serial data is a nice juicy logic level signal with quite a bit of Omph behind it traveling down a lead that is probably between 0.75 and 3.0 meters. In some cases the lead is not coiled (ie short cable lengths) and in others it is (long cable lengths).

In both cases the lead is essentialy a tuned antenna tuned to the VHF or HF bands. Now the squarewave is not only rich in it’s normal harmonics it has another interesting property…

Due to the fact that the keyboard lead can be used as a transmission line it’s charecteristics are effected by if it has an open or closed termination on either end of the cable.

Due to the nature of the transmission line and the fact that both the transmitter and reciever are digital logic the transmission line undergoes significant impedence changes during signal transition which encorages bursts of energy to be radiated on the signal transitions (high to low or low to high).

Further the signal signiture will reveal which way the signal has gone.

So far this has assumed a passive evesdropping attack.

There is also the possability of an active attack as well.

The keyboard cable as noted earlier is effectivly a transmission line that is incorectly terminated with load and source impeadences that change with the application of a signal.

This means that it can be viewed as either a quaterwave or halfwave antenna. Placing such an antenna in a low power RF field at or near the resonant frequency of the antenna produces some oddly interesting results. As the signal on the transmission line changes state so does the impeadence of the line this has the effect of AM/PM modulating the RF field which can de relativly easily picked up with a low cost reciever.

Likewise the key matrix can also be activly scanned in this way.

As for range I would guess that an active attack on the keyboard to PC lead would be capable of meeting the 20meter (65ft) range quoted.

In most cases the speed at which either the key matrix is scaned or the key data transistions puts the signal entirly within the capabilities of a low cost scanning receiver which could be purchased for a couple of hundred dollars new…

The design of the antenna is something else that needs to be considered but three loop antennas mounted orthagonaly with an appropriate combiner should give acceptable results.

The hard bit is then interfacing the signal on to a PC for further processing to reveal the key pressed.

Paul Blue Spruce • October 23, 2008 6:29 PM

@Clive

It’s always the other guy who thinks of it first, huh?

More • October 23, 2008 9:26 PM

Do you think they can pick up and read my writings with a quill pen and ink on parchment?

S • October 23, 2008 9:45 PM

Our drive unlock defeats all this stuff hands down. We tested it on a bunch of different spyware programs and listening would not make any difference. The drive itself is the best of all, though.

Kermit the Bog • October 23, 2008 9:47 PM

Audio analysis of handwriting by Yurpen I. Slowd in 2007 found that by listening to the individual pen strokes with a powerful microphone you can determine what is being written from distances of over 20m. So yes, they can pick up your writings with a quill pen…

Brian Ronald • October 24, 2008 12:05 AM

MailDeadDrop beat me to it. I, too, think it’s odd that the decode programs knew when to quit. In fact, I think it’s odd that they did quit.

Naveen JP • October 24, 2008 2:43 AM

Scope for a gadget – a head gear that would capture thoughts, encrypt it and send it to a wireless port :).

Gweihir • October 24, 2008 5:35 AM

I am not surprised this is possible. While I do not know the researchers personally, EPFL has an excellent reputation and this is likely genuine. I am looking forward to the paper.

As to how this can be done, easy: PS/2 and USB transmit a digital signal (read: lots of spikes can be detected nearby from the flanks) in sync with an oscillator in the keyboard. The same thing happens with the matrix-scan done for the keys by the microcontroller in the keyboard. I would think picking up the matrix signal is more easy, but the PS/2 and USB signals may be feasible as well.

The oscillator is running very precisely and you can sync to it after a calibration period. You can then look for signal spikes with the right distance. Especially if a creamic resonator (and not a crystal) is used, there will be measurable variation between keyboards (resonators are cheaper, but less precise than crystals), and it may even be possible to separate signals from different keyboards.

Countermeasures? Simple: Better shielding for cable and keyboard. This may mean metal key tops and a metal keyboard case, as well as a metal hose around the cable.

Clive Robinson • October 24, 2008 6:14 AM

@ Paul Blue Spruce,

“It’s always the other guy who thinks of it first, huh?”

It depends on what you mean by first…

Since the days of the Van Eck attack on VDUs that made big news all over the world (and again this was not news then as the BBC detector vans did a similar thing) anyone that cared to know would have realised that electronics in it’s various forms not only radiates energy, but importantly the energy contains information that is intelegable to those with the whit or ternacity to produce the method.

But even as far back as WWII it was knowns that the German anti spy forces used radio DF to locate the local oscilator in spy radio sets from many miles away.

As I noted the getting of information from computer keyboards is very old news. I have done similar things but did not consider what I was doing was new but novel…

And that may be the case with what these bods have done.

That is the method used may be a new way of doing what has been done befor.

The only problem is as they have not published their methods we don’t know if they have re-invented the wheel, or come up with another geometric shape that will do the same job…

@ ALL,

Oh which reminds me I was dog tired last night when making my above posts and I forgot to mention that. Aside from attacks directed against either the key scan matrix or the serial transmission line from the keyboard to the PC you can of course use a bunch of technieques against the keyboard CPU it’s self.

That is the CPU has logic circuits driven by a clock that usually runs in the low mega Hertz (MHz) range.

Two things arise from this which are energy consumption and radiation. From attacks against Smart cards we know that these attacks are both quite deverstating and more importantly very difficult to stop.

Now a keyboard has a couple of added problems over smart cards,

1, it needs to be manufactures for just a few cents.

2, it has a long lead by which power is supplied to it.

The consiquence of 1 is that EMC protection will be at a minimum that is no shielding plates and very few decoupling caps or inductors. That means that the bandwidth available to unwanted eminations is likley to be high…

Further another consiquence of 1 is that the CPU chip used is going to be just about the cheapest possible, which has two further effects, the first is that it is more likley to radiate signals, the second is that the software will not have been written with emission security in mind.

So it is quite likley that a high frequency signal (ie it needs a short length of radiator to act as an antenna) carrying information is available to leak via any available “side channel”.

Which brings me on to the consiquence of 2, both the serial data signal and the power share this lead, and as a consiquence of 1 it is likley to be the cheapest cable that will do the job so may well be unshielded (copper is expensive, as is aluminium foil).

Further not only will the wires in the cable provide suitable radiators, it is likley that due to EMC requitments at high frequency they will be effectivly open circuit to RF at the PC end. Add into that the lack of decoupling caps and isolating inductors in the keyboard and it is very likley you have you radiating mechanisum or TEMPEST side channel.

Now there is a little fly in the ointment as it where which is “meeting the EMC specs”. Well there are two basic ways to do this,

A, add more decoupling and isolating components.

B, employ spread spectrum techneiques.

As noted above the consiquence of 1 is that option A is not likley.

Which leaves option B. Now it is not known to many people but motherboard manufactures have been employing spread spectrum techniques for quite some time to meet EMC requirments so it is to them a well understood methodology. You will actually find it’s use being required in CCITT specs for data equipment connected to public communications networks (ie the good old fashioned modem).

Essentially what it does is to spread the “interfering signal” energy across the band and thereby lower the energy / Hz which the EMC masks set.

The bods who wrote the paper may have realised that the very very simple spread spectrum methods used are easy to corelate, thus effectivly re constituting the original interfering signal at it’s original energy, thus liffting it out of the normal receiver noise floor.

If this is what they have done then yes it is tha application of old techneiques to a known problem in a new and novel way, which would (possibly) be worthy of an academic paper. But untill we see it we won’t know…

Clive Robinson • October 24, 2008 7:23 AM

Oh and whilst I remember there are a couple of other techneiques you can use to lift a signal out of the noise one works in the time domain the other in the frequency demain (and yes I am aware of others that work in the sequency domain but they realy are not talked about in any scientific circles yet…)

The time domain attack is well known and was used to improve attacks agains powersupply noise on smart cards. Basically you find a reliable sync signal and then use that to triger multiple readings against your target. You then “avarage out the noise”. You can actually by measurment threshold extenders to do this for existing time domain instrumentation so it is a well tried and tested technique.

You can do a similar “avaraging out the noise” in the frequency domain. What you need to understand is that digital logic generates a “comb of frequencies” at all the harmonics of it’s fundemental signal. So if you knew that the oscilator ran at 1MHz then you could have receivers at all multiples of 1MHz upto daylight. You then take the output of all these receivers and avarage them together to give the original signal. However this is not the way you would do it in practice, what you would do would be have a wide band antenna followed by a widband very lownoise amplifier and feed it into two double balanced mixers driven by 1MHz orthagonal signals. You would then take the two orthagonal baseband signals and stick them into a digital signal processor and extract the wanted signal out (this something I suggested to the bods over at the Cambridge labs to improve their rather good improvment on the Van Eck attack they did with a low cost DSP board). You can find out more by looking at Software Defined Radio articles.

Now as some of you may be aware there are various “domains” in the world of signals.

The one most know is the “time domain” which you would use an osciliscope to display (X axis = time, Y axis amplitude) or a time based averaging system to pull signals out of the noise and many modern digital osciliscopes have such facilities.

Next there is the “frequency domain” you would use a spectrum analyser (X axis = frequency, Y axis = RMS energy). As discussed above it is possible to sync up to a fundemental and avarage the energy around the harmonics to provide a good baseband signal.

Next there is the “sequency domain”. This is the digital analogue of the frequency domain. Basicaly there are known digital waveforms which are related to each other that cross the x axis in the time domain at multiples of the base square wave (basic Walsh functions) they are derived by X-oring the fundemental squarwave with square waves at itLs normal harmonics. As in the frequency domain their are specialised analytical teqhneigues the most commonly known is the Fast Fourier Transform (FFT), well there is an equivalent in sequency space which is the Fast Walsh Transform (FWT). Well unlike the FFT twiddles there is no mucking about with floating point mathmatics, the FWT only multiples by +1 or -1 is easy to implement in hardware and is very very fast. It is an area which has not received the reasurch it deserves. What is known is that both the UK GCHQ and the US NSA recruite a lot of specialists in this area.

Next there is the new kid on the block the “wavelet domain” I won’t bother going into it but it is being used as the bases for “Ultra Wide Band Radio” which you will hear a great deal more about in the next couple of years. Needless to say if you have theoretical knowledge in this area both GCHQ and NSA would be quite interested in seeing your C.V. And chatting to you about the benifits of Government service.

What you need to understand is, that as far as EmSec (what TEMPEST now is.) is concerned each domain inherets techneiques from the previous domain and adds new ones of it’s own. And importantly it is the lack of human not technical resources that is slowing these areas of investigation down.

That is side channel attacks in the “time domain” also work in the frequency domain. The frequency domain has attacks of its own that do not apply to the time domain but do carry on into the sequency domain. Likewise the sequency domain inherits from both the time and frequency domains and adds new tricks of it’s own.

The question is what new techniques do the sequency and wavelet domains have that the non governmental security community are not yet aware of (or have not bothered to yet investigate).

greg • October 24, 2008 8:52 AM

@Clive Robinson

It is an area which has not received the reasurch it deserves

It has and continues to receive a lot of reasurch hours (both wavelets and WT which are really the same thing IMO). I did my masters on this sort of thing. Perhaps you just mean in a EmSec setting?

In which case the reasoning is easy. Its expensive to defend against these attacks as well as expensive to mount them. In most cases physical security is already a weaker link (aka locks on the doors). Once you are at the end of the EmSec stuff, your threat model might well be into mafia type attack issues?

ATom • October 24, 2008 8:59 AM

I just wrapped my computer in tin foil.

greg • October 24, 2008 11:10 AM

Well, if it’s keystrokes they want to decipher then no problem, just emulate a sequence of 10,000 random keyboards typing at different rates and emit the signals at the same frequency as your keyboard.

Let them sort that out if they can even decipher a signal that polluted with emissions.

MikeA • October 24, 2008 11:14 AM

Spread spectrum for EMI reduction is usually a sham. AFAICT, most manufacturers include it, and enable it to pass certification (if they don’t just forge the cert), and then disable it by default in the BIOS because, surprise, “cost conscious” components with marginal PLLs have high error rates when it’s enabled.
A keybord in a metal case, with a decent PCB, connected by a shielded cable, and with firmware written by someone who gave a flying fig, would be much harder to snoop, but would fail in a market that buys solely on cost. Which is to say, the current market.
The Military market might be an exception, but I suspect that the money would go toward junkets for generals and congress-critters, not bypass caps and metal cases.

BTW: “See what folks are viewing, from a van” was the premise of an Outer Limits show in the 1950s.

Clive Robinson • October 24, 2008 12:52 PM

@ greg,

“Perhaps you just mean in a EmSec setting?”

Primarily.

However the joy of new technology is leaping in with both feet first and not taking an historical perspective.

Most attacks are not new just variations on old ones. And as I noted above each new domain inherits all of the issues of previous domains and usually adds a few of it’s own.

However in most peoples minds new technology suffers from “new technology pixie dust” in that there is a compleatly unsupported assumption that because it’s new “it’s going to fix all of the problems” with it’s goodness.
Well experiance tells us that 99 time out of a hundred,

new technology = old vectors + new vectors.

For attackers. And we run around afterwards for the next 20 years fixing them (usauly so badly we open up more new vectors).

Please don’t think I am against new technology I’m very much in favour of it. But in the same way I would not dive of a cliff assuming there was sufficient water, I would not design in new technology with out a little investigation first. That is in the same way I check that I understood the tides and currents first and make alowances before I dived, I would run my general classess of attack vector against my design before I went to production.

RH • October 24, 2008 11:58 PM

@MailDeadDrop: I was curious about that too, but if you notice, the program is told how many collect on the command line.

And if I remember my Field and Waves correctly, a Fariday cage is designed to keep RF out, but doesn’t necesarially keep RF in. A large enoguh antena should be able to pick up the signal resonating from the surface of the fariday cage.

Kashmarek • October 25, 2008 7:04 AM

This is similar to identifying people from a satellite by the shadows of their walking gait…FUD.

Tell me how well they do trying to capture userid/password combinations from a building with 1000 running keyboards when the pair of values is not entered together or in the same order.

Good luck and good night.

Roger • October 25, 2008 6:58 PM

I am pretty sure the possibility of this was publicly discussed years ago. I am sure that Kuhn and Andersen’s LCD TEMPEST analysis at least briefly mentioned other radiators, such as network cables and internal buses.

At any rate, some time back then I started putting a choke on my keyboard cables. Unfortunately, like most of this stuff I am unable to measure if this useful…

@Kashmarek:

Tell me how well they do trying to capture userid/password combinations from a building with 1000 running keyboards

Much the same excuse used to be made about the risk of TEMPEST monitoring of VDUs — until Kuhn and Anderson demonstrated that it was trivial to single out VDUs, because they all have harmonics at slightly different frequencies. Very likely, the same will be true for PS/2 or USB buses.

If the attacker wants a particular keyboard, rather than just any single keyboard, it will be harder — but we’re just talking a little detective work, like correlating signals to when the victim arrives at or departs work.

Of course, a really sophisticated opponent might be able to record many of them at once.

when the pair of values is not entered together or in the same order.

That is not necessarily much help at all. For example, if the password I am looking for can be attacked off-line (e.g. an encryption key), I can just add every single thing you type to my attack dictionary. The amount you type in one day will scarcely slow down the dictionary at all, but if you entered the password on that day, the attack succeeds.

Or, if you are typing out a confidential email, I hardly care if you use the mouse to jump around a bit: even assuming I can’t also monitor the mouse, I will still be able to get the gist of your message from the coherent pieces of text.

Clive Robinson • October 25, 2008 10:00 PM

@ Kashmarek,

“Tell me how well they do trying to capture userid/password combinations from a building with 1000 running keyboards when the pair of values is not entered together or in the same order.”

First off as they have not published (and may yet not due to peer review) so we do not know how “they” do it.

However to answer your compound question you first need to accept that you are asking across two entirly sperate problem domains.

Firstly off, as far as I can see the researchers are not claiming to be able to pull one keyboard out of thousands at great distances.

Secondly they are not claiming to do any data analysis to show usernames or passwords.

All thay appear to be claiming is nothing other than being able to read the keystrokes by compramising eminations at a short to moderate distance (20 meters) which is actually quite pitiful to what can be acheived if you want to.

You need to remember Bruces comments about “attacks get better with time” that is they start off as being assumed impossible, become theoreticaly possible, move on to being just demonstrable, to becoming practical then every day.

In this case the researchers belive thay are at the “just demonstrable” stage, the reality is we are way beyond that as I will describe.

To answer the direct parts of your compond question it needs to be split up into three questions,

1, username / password,
2, intercept range.
3, target isolation.

That cover two problem domains.

The first question and problem domain is simply to do with the data intercepted and not the how. With regard to the username / password you need to ask yourself a question,

“Does an attacker actually need the username and password for the CEO’s PA or any other employee for that matter to gain valuble information?”

The obvious answer is not unless they wish to crack into the users account, which is these days quite low on the list of things either an industrial spy or penetration tester is trying to acheive. Especialy as cracking is an active activity with significant risk of detection and significant penalty if caught and prosecuted which is quite likley.

Whereas passive evesdropping (apart from on Government Orgs) is almost impossible to detect so infrequently prosecuted and the punishment handed out so minimal that it is not realy considered a hazard.

And in the case of a CEO’s PA it is likley to be obvious when she is typing up a letter or memo or email, and usually to who. Therefore it is likely you will have the information before the recipient, and is extreamly timley and therfore of much higher value in an ongoing negotiation etc (which is what a lot of industrial spying is about).

Which brings us on to the second problem domain and it’s two questions of,

2, intercept range.
3, target isolation.

I suspect the paper submitted (if it is ever published) does not cover these and if the researchers have considered it they are holding it in reserve. And not for any desire to withold information to prevent practical attacks but simply out of self interest (in which case I’m going to be spiking their guns with this post).

You need to understand a little about modern research publication as to why they may wish to do this.

The old truisum about “publish or be dammed” is not the only constraint for the success of a researcher these days. Unfortunatly it is now more a question of “quantity over quality” unless you have an established name.

This gives rise to reseachers “serialising research findings” so rather than one good information or method rich dense paper you get many information light papers spaced fairly rapidly over time. You could call it “sound bite research” in that it gives the researchers names more hits in journal and citation databases thus improves their ranking (just like Google hits).

This has consiquences where the researcher puts as little into a paper as they think will get it published (or possibly not as is currently the case with their paper).

Which means that you will usually only get a single method or finding given in each paper. Which in some cases is actually an advantage to others, as it gives you the chance to jump in with a “method improving” or “method diversifing” paper of your own (which I strongly suspect is what their paper is).

In this case I’m guessing that the researchers have gone for “method diversification” of work done by Marcus Khun at Cambridge Labs. And not particularly “improving techniques” and have basicaly regurgitated an existing method on a new target and the peer review process has come back saying “insufficient originality” for publication (effectivly the equivalent reason why many secondary patents get rejected as “prior art”).

Anyway back to the second problem domain,

The laws of physics work both for and against you on this but interestingly not in a linear way so there are “sweet spots” and “sweet techniques”.

In the case of compramising emissions you have a number of things against you,

The first being that the energy in a “plane wave” decressess as an inverse square law, that is to double the range you need four times the emission energy.

Secondly the noise rises as the RMS of the unit energy per unit of bandwidth that is if the bandwidth is doubled then the noise floor is 41% higher.

Thirdly plane wave radiation is usually considered to be from a point source, with the E and H fields being orthagonal and the radiation being omnidirectional. This is most certainly not true in the near field where all sorts of interesting things happen, and consiquently things that interreact in the near field have significant consiquences on the far field think directional antennas as a practical everyday example (any way more on the devistating effects of near field attacks later).

These issues are the same for intentional emissions so are fairly well known discussed and documented.

However then you have the effects going in your favour, which oddly under normal (ie non EmSec / TEMPEST use) conditions most of these are considered disadvantages and are thus discounted in the general body of knowledge as advantages.

First off in this area is harmonic radiation. Few if any signals when generated or amplified are harmonicaly clean which is why most transmitters have quite a few tuned circuits to reduce harmonics below a either a given level (35uV into fifty ohms) or relative to the mean carrier output (ie -80dBc). As I noted in one of my posts above you can use harmonic radiation to reduce the effective noise floor.

That is when you sum two or more coherant signals together the wanted signal goes up linearly, the noise however being non coherant only rises as the RMS value (ie root n). Therfore if you sum the first 9 harmonics the wanted signal level rises 9 times but the noise floor only three times thus giving you an overal advantage of three to one (or root n).

However you will be told that the voltage or current level of harmonics on digital waves goes down as 1/n [power drops as 1/(n^2)] in a (frequency independant) resistive load. And as the even order harmonics are assumed to have no energy, half the signals power is in the harmonics.

Which sugests that the summing of harmonic signals will not be that advantageous. However this is very far from the truth for several reasons.

The second advantage is that the radiation efficiency of a conductor of any given length goes up with frequency. The relationship is complicated but it tends to make up for the 1/(n^2) issue of harmonic energy. Which means that there is in all probability a “sweet spot” of harmonics that is related to the length of the conductor, which is how it turns out in practice.

Thirdly is noise floor you normaly get told -174db / Hz, is the noise floor below which it is not possible to pull a signal out, and for some unacountable reason this appears to be treated as a “law”. It’s actually the thermal noise in a 1Hz bandwidth at room temprature so it goes up with bandwidth and drops with temprature (as evidenced by hot and cold resistor testing to get the real noise floor of a low noise amplifier).

Further as indicated above there are practical ways around it which do not break the laws of physics (ie average in the frequency domain and also average in the space domain and in some cases the time domain as well).

As well as apparently forming a “law” in peoples heads it also appears to get translated from “noise at the reciever input” to a general case…

Even though it is practicaly obviously that it is not the case. Antennas give (almost) noise free gain which is only practicaly limited by the effective apature of the antenna that is usually related to it’s physical size and the frequency of operation (the higher the frequency the larger the gain for any particular physical size).

However there appears to be a general assumption that the noise floor at a receivers input is directionless.

This is simply untrue even for cosmic noise, when in use a receivers noise floor has little or nothing to do with the thermal noise floor. Most of the noise is from point sources such as other electronic equipment etc.

A similar RMS effect works with two or more antennas and is usually called “space diversity”. Usually it is assumed it is used to average out noise which is directionless and therfore of minimal benifit. Well if the antennas have directionality as well this gives a further boost to the wanted signal.

But more importantly you can also use antennas to null out unwanted signals. Often the nulls loss on an antenna is significantly greater than any gain it might have.

An old example of this is using a loop and whip antenna together for direction finding. The combined pattern is a cardiod where the null on an otherwise omnidirectional pattern can be 40dB or more, where as the combined gain is only a couple of dB up, such an antenna could easily be used to remove one considerably stronger interfering signal to negligable levels. Combine it with space diversity and you start to get a very powerfull tool.

Then there is the long base line effect. The further apart (in wavelengths) two antennas are the more “effective point source gain” you have. This effect is seen in radio / optical astronomy etc. Suffice it to say when done properly it can pick a very weak distant signal out from many stronger adjacent interfering signals. The longer the base line and the more antennas there are the better the discriminating ability (space diverstiy is now on Uber Steroids).

A combination of these effects can all be used to make the desired keyboard stand out like a search light in a sea of candles and or give an increased range…

Finally there is the non plane wave or near field to be considered. It is an area that is not normaly talked about in general radio courses and often only in passing in EMC courses. However in EmSec it’s realy the over riding area of interest.

Traditionaly the near field is effectivly a zone between the effective antenna apature and two wavelengths out. The area is where the E and H fields sort themselves out and transition into the orthaganal plane wave. The power loss between the antenna feeds of a radiating antenna and recieving antenna at the edge of the near field is something like 20dB or 100:1

However if the radiating elerment is not actually an antenna things become much more complicated. For instance, if there is a continuous conductor that passes through the near field then it will carry the signal along it’s self for many many times the expected free space distance (look up a G-wire transmission line).

An example of this is the old cordless phones that worked at 1.8MHz if the transmitter was close to say a farmers fence or overhead power or telephone lines then the signal could (and has) been usable at 10-20 miles which is a lot lot further than the 50-100 yard range it was supposed to have as a maximum (aprox equivalent to a 32dB increase in power).

You need to remember that the CPU in a keyboard often runs at around 2MHz and usually there are telephone / power / network cables directly adjacent to it. Further that metal structure in the desk and architecture such as rebar in concreate or RSJs power / lighting / alarm cables in walls ceilings and floors and even shielded telephone and network cables all fall well within the near field of the keyboard.

In the case of shielded cables this is something that works against the defender and very much for the attacker.

Shielded cables are designed to keep signals in the cable which they do quite well and also to keep signals out. Likewise twisted pair cables due to their differential signals do not tend to radiate. Often you will see shielded twisted pair cables used which realy do stop signals being radiated from the twisted pair cable inside.

So people unversed in the ways of EmSec will add that extra “shielded magic” to their design.

Obviously a shielded cable has a large external diameter it’s radiation resistance (and therfore succeptance) is considerably lower than the wire in a twisted pair. Therfore if it goes into the near field it will not only pick up a lot more it will carry it further and radiate it better than the unshielded twisted pair, Opps…

To understand more lookup how Gamma matches and loop antennas work it might make your mouth drop when you look around the average office.

Then there are other less well known effects such as “signal cross-coupling” a form of leap froging, where a signal starts in one conductor, gets coupled (jumps) into another, and likewise into others.

So desk frame to floor rebar, to wall rebar to external metal drain pipe etc….

Then there are strange effects to do with cross modulation and signal piggybacking. If you have an electrical conductor carrying a signal with modulation on it, another unrelated signal that shares the conductor will under some circumstances get the modulation superimposed on it.

One of these effects that can guite easily be induced is “paramteric amplifiction” (google paremetric amplifier if you want to know how the amplification and cross modulation works).

Basicaly If I direct a signal ot ten or twenty times the frequency and approximatly the same power up into the conductor and there is a nonlinear component such as rust or metal oxide making a nonliner junction (ie like a diode) then the modulation will not only transfer to the higher frequency it will be considerably amplified as well. Even better from an attackers point of view the effect can be further magnified by picking a frequency that the conductor is reonant at.

Now a keyboard cable has active semiconductor devices at either end which give you two nonlinear devices, and will be resonant in the VHF band. So If I point a VHF directional antenna at the office I want to monitor and tune around I stand a very good chance of iradiating the keyboard cable and of bringing it to resonance.

But how do I know I’ve done it, well actually quite simply, I listen with another directional antenna to a harmonic of the frequency I am using, any conductor with nonlinear components on it will sing out at the harmonic frequency (that’s how a lot of those “store protection” tags work, especialy thos in books).

If this receiving antenna is in a different location simple triangulation enables me to cross point the axis of both at my targets position using two or more of these harmonic receivers with space diversity and I have your keyboard dead in the water waiting for it to deliver up it’s precious treasure…

Oh and the range is dependent on how much power I inject into the keyboard cable. But at VHF even 1mW will radiate several hundreds of meters from a resonant antenna (which the keyboard cable has become). Oh and in practice you can get anything upto 500mW if the frequency is high enough and at UHF with a low information bandwidth that could go over two hundred miles line of sight….

And there are other techniques where it could go a lot further for less power so reducing the probability not only of you being discovered but also of mucking up the keyboard or PC behaviour.

So the answer to your questions are,

Q1, Username / Password
A1, Effectivly irrelavent in a lot of cases.

Q2, Intercept range.
A2, purley pasivly maybe 100meters activly maybe a mile or two line of sight.

Q3, target isolation.
A3, it depends on the number type, gain and base line of the antennas you use in the receiver, and in an active attack on the gain and position of the transmitter antenna as well.

But yes it’s quite easily doable and not at that much cost if you know what you are doing.

And as I have pointed out none of this is Secret information it’s all in the public domain you just have to piece the bits together (which for some strange reason few ever seem to do).

Clive Robinson • October 25, 2008 10:50 PM

Whilst I remember.

If you want to see what I discussed with Markus Kuhn at Camb Labs or infact more of the history.

I’ve dug out the link and it’s back in April 2006,

http://www.lightbluetouchpaper.org/2006/03/09/video-eavesdropping-demo-at-cebit-2006/

And it would appear it was based on a presentation Markus had made back in 2002. And like me he quite freely acknowledges the previous “prior art” work done in the area.

Oh and the cost of Wideband SDR’s has dropped significantly since then, and you can buy “channel bank” receiver chips from the likes of Analog Devices whic although intended for the cellular base station market will be quite capable of doing an attack on a PS2 cable or possibly USB1 (though they tend to be shielded).

So as an attack avaraging a signal in the frequency domain has most definatly passed the “comming of age” and has given forth to it’s own offspring…

mike • October 26, 2008 1:11 PM

How well does tempest work on Tablet Pcs?

Informatiker • October 26, 2008 7:03 PM

Bold thinkers might contemplate an active attack from an airborne or space-based asset.
Just blasting 10kW of RF/UHF at the site with those interesting keyboards. Big players could use multiple birds to perform the mentioned spatial elimination of unwanted emitters.
I did some USENET posting on the information-theoretical limits of what can be transmitted through a channel (Shannon’s law) – its an eye-opener. (Especially if the signal is repeated over and over again like in SSL accelerators)

Informatiker • October 26, 2008 7:06 PM

The RF/Microwave kind of attack allegedly has been done by the russians decades ago. They flooded the US embassy with RF in order to get that modulated in the active (non-linear) components of the American’s phones. The math is straight-forward AM/FM modulation in that case.

Ian Woollard • October 26, 2008 7:30 PM

FWIW Separating out the signals of one keyboard from many is fairly easy if you have a highly directional antenna setup.

vanilla • November 2, 2008 2:22 AM

Good grief. Ditch the tin foil and get saran wrap. Reprogram the calculator button to mean ‘dead drop alpha.’

In a sea of RF/microwave bombardment, how do our poor little electrons in all of our atoms stay in their proper shells … no wonder I get dystonia from time to time … (g)

Nick P • August 15, 2009 10:45 AM

Very deep discussion going on here in the comment section. Always nice. 😉 I still haven’t seen one of the apparent experts answer the question: can a simple, cheap faraday cage or something stop tempest monitoring? Perhaps paired with a laptop to prevent power line analysis? If someone already answered, I apologize for repost.

The other thing I wanted to post is a [hopefully] new idea: using emanations for covert communications. Lets say hostage-takers wanted to talk to helpers outside. The police jam/disable all communications. Two sets of antenna and noisy electronic device, one in target building and one in innocent building. Bad guys in target building type on noisy equipment, picked up by antenna/decoder in innocent building. Its acted on by accomplices immediately or relayed to them over a different medium, which might be harder to spot cuz it’s not in target building. In this case, TEMPEST would let attackers with sophisticated equipment communicate during a blackout w/out the cops even knowing it.

Of course, I’m more interested in the possibility of using emanation attacks to recover private keys in tamper-resistant cards like IBM or Safenet. The idea is that companies pick these because their infosec design will put lots of trust in the device & it must be ultra-secure. Using this logic, I figure that being able to recover keys from these could have immense payoff for attackers. Lets say a bank leases space in a building and has its transaction management systems there. Get in the [less-secure] office above it with a proper antenna and start collecting data. Take it home for cryptanalysis, and try to recover private keys. Could the attacker then forge authorizations for funds transfer? My approach assumes the attacker has studied and modeled the card(s) used and can filter out the noise. Additionally, the bank protocols must be understood. Digital signature cards would also be vulnerable to this attack. I’m not a cryptographer, so I don’t know how much of this 3rd paragraph is feasible.

Clive Robinson • August 16, 2009 4:04 AM

@ Nick P,

“If someone already answered, I apologize for repost.”

The answers are there but yould have to piece the bit’s together in the right order.

So,

1, “I still haven’t seen one of the apparent experts answer the question: can a simple, cheap faraday cage or something stop tempest monitoring?”

Faraday cages are not perfect, their effectivness is related to how much of a conductive surface (E field) is between the emission source and sink. Likewise the volume of magnetic material (H field).

For the E field two layers with an insulating layer between them are generaly more effective than a single layer of the same metal that is twice the thickness (google “skin effect”). Also the effective resistance of the metal is significant to the skin effect so double sided gold plated plastic would be of more benift than a plate of aluminium.

For the H field there are various options but the thickness of an iron / chromium or other appropriate material is what counts.

However there is a fly in the ointment which is “slot radiators” any access panel or other potential gap at say the corner where two metal plates join will act as a very efficient antenna at it’s resonant frequency.

Then there are issues to do with filtering any signal or power conductors coming into or out of the cage (even a batery powered laptop will need to be charged from time to time, and as has been observed these days another name for a “non networked” computer is a “door stop”)

So faraday cages are a bit of a “black art” in their own right. Which means that any practical (to use) cage is not going to be cheap…

Then depending on what part of the world you are in EmSec screaning might be considered proof of illegal activity…

2, “Bad guys in target building type on noisy equipment, picked up by antenna/decoder in innocent building.”

Your idea is novel but not new Simmons initialy pointed out “covert channels” as an issue with weapons verification devices for SALT2 and that was based on the “prisoners dilema”.

However with respect to,

3, “In this case, TEMPEST would let attackers with sophisticated equipment communicate during a blackout w/out the cops even knowing it.”

TEMPEST / EmSec has a dirty secret which is not much talked about. The receiver is not a passive participant but is active (it takes energy out out free space). In the same way you can find hidden CCTV cameras via the “red eye” effect of internal reflection, any reciever can be detected with appropriate equipment.

However it is very very unlikley that the Police or other Three Letter Agencies would either have the equipment or even have a requirment to have it.

So yes it would work the first couple of times but there after the authorities are going to wise up.

4,”Of course, I’m more interested in the possibility of using emanation attacks to recover private keys in tamper-resistant cards like IBM or Safenet.”

Enything that uses electricity in active components has the potential to emitt “compramising eminations”.

Which gives rise to the question of “how effective are their prevention systems”

One little EMC dirty secret is PC expansion cards. These are tested for EM Compatability in a refrence PC which is almost idealised. However most PC systems are quite deficient on the EMC side of things…

Therefore unless the manufacture of the device in question has taken extra precautions there is the very real posability that secret information will leak either directly (very bad) or indirectly via a side channel of some form (bad) or be prey to various forms of active attacks (bad).

It is the later two areas that are of most concern these days as this is where most of the practical attacks happen.

Nick P • September 26, 2009 7:56 PM

I appreciate your reply. It pretty much answered all my questions. From your description, it would seem that budget, homebrew EMSEC is near impossible. I guess using high assurance mobile tech and constantly being on the move is the way to go if one is broke & worried about EMSEC.

Schneier on Security

Remotely Eavesdropping on Keyboards

Comments

Leave a comment Cancel reply