Keystrokes Can Be Sniffed Without the PC Being Compromised

[DNR]

dudes you are killin floodie

Ok, so perhaps you can write a nice tut about this keyboard eavesdropper. I assume it will involve lots of lab work with a isolated keyboard that was prepped ahead of time (i.e. signal/manufacture-type/brand) and the listening device placed 1m away. I suppose if I could get 1m close to a keyboard I could just shoulder surf the mother

I am sure it is possible, but at what cost and what QoS? It is not that you are talking about a $300 mouse trap (when a $2 one will do the job), but we were talking about real world application of the idea - the idea of picking up keystrokes from a 'real' keyboard. If someone needs to throw $300 at a problem, they need to just pay someone like us to do the job. (probably a $40 webcam setup, $260 for tech support - me!)

DNR

[floodhound2]

dudes you are killin floodie

DNR

Yea it is killing me, but I sit back laugh. It seems as though they have no clue on how a keyboard works. As if each button would create a individual signature of a magnetic field. So this would make it able to detect the difference between a "A" and a "B". PFT!

Now if the IC in the keyboard is creating a signal that could somehow be picket up it would be theoretically possible. Then again the FCC, UL and CE along with other agencies would not allow certification due to the radiated noise.

Well roll up one for me and enjoy this thread.

* READ DE BOUNCING A BUTTON.

When a user hits a key on the keyboard the processor sees it as many hits up to a few hunderd. Like you press "A" but the real thing is

"AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA"

[Lundis]

I don't know any details and I certainly don't know how a keyboard works , but my friend told me about it, and I don't think he's lying. I'll ask him again later today, just to make sure I understood him correctly.

[DNR]

I am all too happy to try to bend my mind around something new.

Now as floodie is getting to, you have to understand how the keyboard works. When you press the "A" letter key on your keyboard, when does it know what letter you pressed?

The key matrix is a grid of circuits underneath the keys. In all keyboards (except for capacitive models, which we'll discuss in the next section), each circuit is broken at a point below each key. When you press a key, it presses a switch, completing the circuit and allowing a tiny amount of current to flow through. The mechanical action of the switch causes some vibration, called bounce, which the processor filters out.

When the processor finds a circuit that is closed, it compares the location of that circuit on the key matrix to the character map in its read-only memory (ROM). A character map is basically a comparison chart or lookup table. It tells the processor the position of each key in the matrix and what each keystroke or combination of keystrokes represents. For example, the character map lets the processor know that pressing the a key by itself corresponds to a small letter "a," but the Shift and a keys pressed together correspond to a capital "A."

Whether it's through a cable or wireless, the signal from the keyboard is monitored by the computer's keyboard controller. This is an integrated circuit (IC) that processes all of the data that comes from the keyboard and forwards it to the operating system.

If you are considering hacking a keyboard, it is not the actual keystroke but the key matrix and the character map that is stored on a chip. Its not possible to detect which key was pressed until the processor matches up the signal with a character map and ruleset that is contained deep inside a chip. What they are proposing is a way to read what chips have inside them from a distance.

*Next Section

Keyboards use a variety of switch technologies. Capacitive switches are considered to be non-mechanical because they do not physically complete a circuit like most other keyboard technologies. Instead, current constantly flows through all parts of the key matrix. Each key is spring-loaded and has a tiny plate attached to the bottom of it. When you press a key, it moves this plate closer to the plate below it. As the two plates move closer together, the amount of current flowing through the matrix changes. The processor detects the change and interprets it as a key press for that location. Capacitive switch keyboards are expensive, but they have a longer life than any other keyboard. Also, they do not have problems with bounce since the two surfaces never come into actual contact.
All of the other types of switches used in keyboards are mechanical in nature.

Maybe this hack relates to capacitive switch keyboards?

Keep studying!

DNR

[f4Gg0t_43]

Found something on it
watch from 2:00 on

[DNR]

That very long youtube video refers to this

http://www.crunchgear.com/2008/10/21/re ... tic-field/

this link has its own video

Compromising Electromagnetic Emanations of Keyboards Experiment 1/2 from Martin Vuagnoux on Vimeo.
Two doctoral students have produced what is probably the most fascinating hack (or whatever you want to call it) of the year. Using custom equipment and software, Messrs Martin Vuagnoux and Sylvain Pasini of the Swiss Ecole Polytechnique Federale de Lausanne are able to detect shifts in the magnetic field surrounding keyboards. By measuring and interpreting these shifts, the students are able to figure out what has been typed. There’s four such “attacks,” once of which can work from as far as 20 meters (65 feet).

While we’ll no doubt have to put up with ignorant “keyboard sniffers on the loose!” stories on your CNNs and whatnot, it’s important to understand what exactly this is. That is, research. These aren’t script kiddies looking to wreak havoc at a Starbucks or whatever, but scholars trying to figure out how things work.
"""

The article points to the actual study:

http://lasecwww.epfl.ch/keyboard/

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS

Martin Vuagnoux and Sylvain Pasini

Computer keyboards are often used to transmit sensitive information such as username/password (e.g. to log into computers, to do e-banking money transfer, etc.). A vulnerability on these devices will definitely kill the security of any computer or ATM.

Wired keyboards emit electromagnetic waves, because they contain eletronic components. These eletromagnetic radiation could reveal sensitive information such as keystrokes. Although Kuhn already tagged keyboards as risky, we did not find any experiment or evidence proving or refuting the practical feasibility to remotely eavesdrop keystrokes, especially on modern keyboards.

To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.

We conclude that wired computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively inexpensive equipments.

More information on these attacks will be published soon, the paper is currently in a peer review process for a conference.

"""

Not very helpful.


http://en.wikipedia.org/wiki/Markus_Kuhn

Nothing found on his study on keyboard emissions
http://www.cl.cam.ac.uk/~mgk25/publications.html

----------------------
The stories get wilder...
--

Dictionary Attacks Using Keyboard Acoustic Emanations
http://www.eng.tau.ac.il/~yash/p245-berger.pdf
"

We present a dictionary attack that is based on keyboard
acoustic emanations. We combine signal processing and efficient
data structures and algorithms, to successfully reconstruct
single words of 7-13 characters from a recording of the
clicks made when typing them on a keyboard. Our attack
does not require any training, and works on an individual
recording of the typed word (may be under 5 seconds of
sound). The attack is very efficient, taking under 20 seconds
per word on a standard PC. We demonstrate a 90% or
better success rate of finding the correct word in the top 50
candidates identified by the attack, for words of 10 or more
characters, and a success rate of 73% over all the words we
tested. We show that the dominant factors affecting the attack’s
success are the word length, and more importantly,
the number of repeated characters within the word."

;;;;;

We begin by processing the signal in order to separate
and extract the keystrokes from it (see Figure 2). Assume
that the signal contains an N characters long word. Note
that each keystroke produces two separate sound segments,
as noted in [1, 14], generated by the press of the key button
and its release. Let PRESSi (RELEASEi) denote the
i’th key press (release) in the signal. The output of the
signal processing stage consists of the two arrays of signal
segments, PRESS and RELEASE.
2.2 Keystroke Processing
A basic capability we need is a method to calculate the
similarity between each pair of keystrokes. What we demonstrate
is that a good similarity metric not only tells us how
similar two keystrokes sound, but also lets us deduce information
about the keys’ physical proximity on the keyboard.
Specifically, for a metric sim, if sim(Ki,Kj) > sim(Ki,Kk)
then with a significant amount of confidence we can say that
Ki and Kj are positioned more closely on the keyboard than
Ki and Kk. Without this property, it would not have been
possible to employ our method on such short signals
"""

I must not be very smart - it seems like these scientist are on a different planet that I am. OR are these scientist milking grants and funding for silly projects?
Again, I suppose if I picked a specific model, and tested it in a controlled lab environment, with physical access to the keyboard to verify and mod it - sure, it could be done, maybe.

Again, what I described in the previous post - the 'click' of the key connects a power signal to a IC chip - and IN the chip, thats when it is determined by the KB which letter it is. And right now, you cannot read what is inside a IC chip without touching it. Accoustic hacking is not that difficult of a realm to understand, but listening to a person hit a key on a keyboard and being able to hear where the key is located sounds fishy too.

DNR