SUMware
Premium
join:2002-05-21
1 edit | Standard Keyboards Leak Keystroke Data-Kills PC/ATM Security
keyboard data intercepted |
2008-10-20
Two researchers at the Swiss Federal Institute of Technology (EPFL) in Lausanne, Switzerland have surveyed 11 different wired computer keyboards and found that all leaked keystroke information.
The researchers, Martin Vuagnoux and Sylvain Pasini, used four different attacks to gather information at a distance of up to 20 meters via the electrical signals emitted from the the keyboards. The antenna used by the researchers could read the data even through walls, Vuagnoux said.
"We conclude that wired computer keyboards sold in the stores generate compromising emanations -- mainly because of the cost pressures in the design," Vuagnous wrote on a Web page describing the attacks. "Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively unexpensive equipments (sic)."
The researchers claim that the study is the most complete survey to date of the problems of data leakage among standard keyboards. Previous research has found that the key clicks on a keyboard can also leak information, if a microphone is placed relatively close to the keyboard. In addition, a great deal of research has focused on eavesdropping on systems via the emanations of the computer monitor.
While more expensive keyboards contain shielded components, preventing them from leaking information, the pressure to reduce costs of commercial keyboards means that the vast majority of people could fall prey to a remote eavesdropping attack. The researchers have submitted a paper on the experiments to be peer reviewed and two videos showing their attacks can be viewed via their Web site.
Compromising Electromagnetic Emanations of Wired Keyboards
by Martin Vuagnoux and Sylvain Pasini
Computer keyboards are often used to transmit sensitive information such as username/password (e.g. to log into computers, to do e-banking money transfer, etc.). A vulnerability on these devices will definitely kill the security of any computer or ATM.
[edit: added photo & subject detail] |
|
rlocone
Honor Our Heros, Our Armed Forces
Premium
join:2002-04-10
Kokomo, IN
|  OK, with this being said. How do we protect ourselves from these attacks. I don't mind buying an expensive keyboard if I know that it's gonna do the job. They mention keyboards are shielded. What is actually shielded, (keys, the cable)? Noticed that they were trying to remove all sources of interference so it wouldn't disturb the test. If this was done in the real world not in a lab. The attacker would have to sort out all of the interference first before getting any useful data. I guess that would depend on the distance and the amount of interference being generated.
--
*** Never Forget 9/11 *** |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| said by rlocone  :OK, with this being said. How do we protect ourselves from these attacks. Don't have anyone within reading distance of your keyboard 
(I can't see my WiFi signal at the bottom of my driveway, so I suppose the keyboard is safe too.) |
|
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| reply to rlocone
said by rlocone :OK, with this being said. How do we protect ourselves from these attacks. ... Guess one could paint the interiors of the room(s) the computer(s) are used with one of the Wi-Fi Paint products. |
|
rlocone
Honor Our Heros, Our Armed Forces
Premium
join:2002-04-10
Kokomo, IN | Yeah, I've heard of that wifi paint but don't know anyone that used it or how well it works.
--
*** Never Forget 9/11 *** |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ | reply to SUMware
They don't seem to mention if really old keyboards are also affected, such as my beloved Model M.
--
/chown -R us:us /yourbase |
|
SUMware
Premium
join:2002-05-21
4 edits | reply to rlocone
said by rlocone :Noticed that they were trying to remove all sources of interference so it wouldn't disturb the test. Correct. They were trying to test for the experimental keyboard variable only. The researchers attempted to reasonably eliminate potential local extraneous interference. In the real world, with other abundant electromagnetic wave propagation, who knows?said by dave :said by rlocone :OK, with this being said. How do we protect ourselves from these attacks. Don't have anyone within reading distance of your keyboard "We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters [65.62 feet], even through walls."
And that's with 'off the shelf hardware', nothing esoteric.
Does anyone think it possible that the FBI, CIA & NSA already know about this? |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
1 edit | Well, not having anyone within 20m is no big deal in the New England suburbs. Unless my cat is a covert agent.
As for the FBI, CIA, and NSA, they've already got the surveillance modules installed in the OS, so they don't have to read the keystream. |
|
SUMware
Premium
join:2002-05-21
| said by dave :Well, not having anyone within 20m is no big deal in the New England suburbs. Unless my cat is a covert agent. How well do you really know your cat? |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
| reply to SUMware
The Logitech wireless keyboards use encryption. I doubt it's hard to break, but they would probably also emit less EM radiation due to the lower power constraints of running off batteries.
--
Linux Haters Unite! |
|
SUMware
Premium
join:2002-05-21 | Don't know. Again, this test was specifically targeted at wired keyboards.
It would be an interesting comparison to test some wireless ones. |
|
rlocone
Honor Our Heros, Our Armed Forces
Premium
join:2002-04-10
Kokomo, IN
| reply to SUMware
It's our govt. I won't put it pass them. If the NSA has anything to do w/ it. They probably have a streamed line process. There is a whole much of stuff that they are doing right now we have no idea.
--
*** Never Forget 9/11 *** |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to SUMware
Let's be realistic. Is a potential identity thief going to camp outside your home with a laptop, antenna, and other equipment? There are plenty of potential "vulnerabilities" if you get really picky about it, but the bottom line is that the hacking methods are so impractical that there's virtually zero risk unless you're a spy. |
|
rlocone
Honor Our Heros, Our Armed Forces
Premium
join:2002-04-10
Kokomo, IN
| You bring up a valid point. Bottom line is if they can do this what else can they do? Gets you wondering? Not that I have anything to hide. It's just that its possible. Nothing you nor I can really do about it. Lately alot of things in life are becoming that way.
Also some mentioned wireless keyboard the does encryption. That is interesting. I didn't know that those keyboards did do that.
--
*** Never Forget 9/11 *** |
|
SUMware
Premium
join:2002-05-21
2 edits | reply to quatrix
said by quatrix :hacking methods are so impractical that there's virtually zero risk unless you're a spy Right, or outside a bank, or a busy retail outlet, or maybe looking to blackmail someone, or obtain private medical info from a doctor's office, or engaged in industrial espionage, etc.
There are probably many reasons that would make the effort 'worth it' for interested parties. It's not just about your home computer. |
|
microserf v1
@cgocable.net | reply to SUMware
Welcome to EE undergrad projects of the late eighties / early nineties. |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to SUMware
said by SUMware :There are probably many reasons that would make the effort 'worth it' for interested parties. It's not just about your home computer. My point was that it makes no difference for most of us, yet a few of the posters here do seem to be concerned about their home PCs. |
|
SUMware
Premium
join:2002-05-21
2 edits | said by quatrix :My point was that it makes no difference for most of us Not until they obtain your credit card info, steal your bank savings, alter your credit rating, or shut down your power grid. None of which needs to happen by spying on your home keyboard. |
|
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
1 edit | reply to SUMware
LOL.....well I can't but just love this....so much so that I actually logged in to make this post.
_____________________________
Several months ago when I was in really bad shape I wanted to share some little known exploits and prevention towit. So I made a Post.....on this very same keyboard subject. Folks, this is a very old exploit. I can't help now but wonder what some people must think the old-school security community have been doing all these years.
Ironically when I made the post almost immediately two people began Flaming me....."put on your tin-foil hat"...etc. So instead of playing silly nonsense games I as well nearly immediately re-moved the Topic and went my merry way in peace.
Soooooooooooo, is there a way to prevent this exploit......I am not going to given comment on that.
|
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
| reply to SUMware
And what is new about this? This has been a well known security leak for decades (monitors and computers in general also radiate information that can be covertly intercepted).
Has everyone forgotten everything that happened before the USSR dismantled itself? I can't believe that anyone involved in IT security is not aware of TEMPEST. At the height of the cold war, an entire industry was built around this condition.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
