Power Sockets Can be Used to Eavesdrop on What People Type on a Computer
July 13th, 2009Via: BBC:
Power sockets can be used to eavesdrop on what people type on a computer.
Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed.
By analysing the information leaking onto power circuits, the researchers could see what a target was typing.
The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances.
Hotel attack
“Our goal is to show that information leaks in the most unexpected ways and can be retrieved,” wrote Andrea Barisani and Daniele Bianco, of security firm Inverse Path, in a paper describing their work.
The research focussed on the cables used to connect PS/2 keyboards to desktop PCs.
Usefully, said the pair, the six wires inside a PS/2 cable are typically “close to each other and poorly shielded”. This means that information travelling along the data wire, when a key is pressed, leaks onto the ground wire in the same cable.
The ground wire, via the PC’s power unit, ultimately connects to the plug in the power socket, and from there leaks out onto the circuit supplying electricity to a room.
Even better, said the researchers, data travels along PS/2 cables one bit at a time and uses a clock speed far lower than any other PC component. Both these qualities make it easy to pick out voltage changes caused by key presses.
A digital oscilloscope was used to gather data about voltage changes on a power line and filters were used to remove those caused by anything other than the keyboard.
“The PS/2 signal square wave is preserved with good quality… and can be decoded back to the original keystroke information,” wrote the pair in a paper describing their work.
They demonstrated it working over distances of 1, 5, 10 and 15m from a target, far enough to suggest it could work in a hotel or office.
“The test performed in the laboratory represent a worst case scenario for this type of measurement, which along with acceptable results emphasizes the feasibility of the attack on normal conditions,” they added.
The pair said their research was “work in progress” and expect the equipment to get more sensitive as it is refined.
The attack is due to be demonstrated at the Black Hat conference that takes place in Las Vegas from 25-30 July.
1970s technology. Those interested may look up
the NSA “TEMPEST” program.
One (out of countless!) hacks was to put a
small piece of clay/glue whatever inside
the type-ball of an IBM-Selectric typewriter.
The resultant unbalancing of the ball loaded
the engine differentially, according to the
letter typed. (You’d have to be old enough
to have touched a Selectric to understand.)
The resultant differential engine loading
was communicated to the power supply, and
thence the power lines.
“Sit at the river long enough, and you’ll
see the head of your enemy come floating
along”.
Sure it’s under the TEMPEST umbrella, but I’ve never seen this one documented anywhere before.
The problem with this would be how you isolate a target in a building full of people using computers.
Maybe there’s a Magic 8 Ball bit of software that can demux all of it into individual streams based on some statistical process. Or maybe they can be separated by amplitude…
From my hazy memory of TEMPEST, counter-eavesdropping measures were primarily focused on CRT display snooping. (It’s possible to remotely snoop on LCDs as well, for whatever that’s worth.)
Standard TEMPEST shielding could prevent “leakage” of this sort, but I don’t know that any TEMPEST deployments in the field were tested to evaluate vulnerability to this specific attack.
Also note that the measures described in this article were carried out with 6-pin PS/2 keyboards. The vast majority of desktop PCs made in the last decade shipped with USB keyboards, which has a different pinout, different on-wire data encoding and is capable of much higher sustained data transfer rates (and therefore has tighter tolerances) than the old PS/2 interface.
Don’t forget that laptops or other devices with integrated keyboards/keypads wouldn’t be vulnerable to this particular attack either, since the input devices use internal cable connections to the motherboard.
All the same, it’s still interesting research. The same principles might be applicable to other areas – think “power signatures” to remotely determine hardware components, manufacturers, or current CPU/GPU loads.
How to demux? Heterodyne with another signal.
Marry the ground cable leakage stream up with the data from the packet sniffer and match on character groups. Bingo, you’ve got a lock.
If the target is not on the Internet, you then need an internal network monitor and/or a visual that allows you to marry up the act/content of typing with the message.
One is reminded of the brilliant scene in The Mechanic — Charles Bronson’s last great movie — where he lip-reads his target via binoculars. Too bad it didn’t save him from the “brucine”, eh?
Van Eck Phreaking is the thing that poses a bigger threat to info security:
http://en.wikipedia.org/wiki/Van_Eck_phreaking
“Information that drives the video display takes the form of high frequency electrical signals. These oscillating electric currents create electromagnetic radiation in the RF range. These radio emissions are correlated to the video image being displayed, so, in theory, they can be used to recover the displayed image.”
Some prick could sit in a van outside your house and see your monitor’s display.
Lurvely.
Here’s another one, this time in audio range,
and for dot-matrix printers.
http://www.schneier.com/blog/archives/2009/06/eavesdropping_o_3.html
(if anyone asks ‘but how will you hear it’, then
i’ll post a bit about lasers and windows…)
On and on it goes….some days it’s the technology; some days it’s the Evil Overlords;
some days it’s both.