COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS
Computer keyboards are often used to transmit sensitive information such as username/password (e.g. to log into computers, to do e-banking money transfer, etc.). A vulnerability on these devices will definitely kill the security of any computer or ATM.
Wired and wireless keyboards emit electromagnetic waves, because they contain electronic components. These electromagnetic radiation could reveal sensitive information such as keystrokes. Although Kuhn already tagged keyboards as risky, we did not find any experiment or evidence proving or refuting the practical feasibility to remotely eavesdrop keystrokes, especially on modern keyboards.
To determine if wired and wireless keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.
Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.
We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 12 different wired and wireless keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.
We conclude that wired and wireless computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively inexpensive equipments.
UPDATE: This paper has been published in 18th USENIX Security Symposium 2009 in August 2009. You can download it here or here (local version) . This paper received the Outstanding Student Paper Award!
Frequently Asked Questions
Q: Why you disconnect the power supply of the laptop?
A: At the beginning of our experiments, we obtained very good results. We were able to capture the signal at an impressive distance. We discovered that the shared ground may acts as an antenna and significantly improve the range of the attack. To avoid any physical support for compromising emanations, we disconnected every cable connected to the computer. Thus, the objective of this demo is to confirm that compromising emanations are not carried by the power supply wire.
Q: The keyboard is connected to a laptop. Is it still working if the keyboard is connected to a usual computer (i.e. PC tower) ?
A: Yes, our attacks are still working (and are generally better on PC tower). Since a desktop computer (PC tower) has no battery, it must be connected to the electrical network. Thus, we cannot avoid the shared ground effect (see the previous question).
Q: Why you remove the LCD display? Is it because the LCD generates too much noise?
A: We remove the LCD display because it can emit compromising signals (see this paper) and could carry keyboard emanations. To avoid any support for compromising emanations we disconnected the LCD display. The noise generated by the LCD display is insignificant since it can be easily filtered. Moreover, in the first video, you can see two powered LCD displays in the same room during the measurements. They do not disrupt the experiment.
Q: You are typing so slowly! Why?
A: The filtering and decoding processes take time (about two seconds per pressed key). To make sure that we captured all keystrokes we typed very slowly. With hardware-based computation (i.e. FPGA) the filtering and decoding processes can obviously be instantaneous (e.g. less than the minimum time between two keystrokes), it's just a matter of money.
Q: I found something odd. Your tool seems to capture 12 or 8 characters (depending on the video) and then decode them. How do you know that you will have exactly 12 (or 8) keys to recover?
A: If you look carefully at the videos the filtering and decoding processes take more time than the capturing process. To not spend 2 seconds between each keystroke, we first capture a fixed number of keys and then we recover the keystrokes. With some dedicated hardware-based FFT computation, we can avoid this time (see previous question). Thus, we fixed the number of character for the demo, but we can use an infinite scanning loop as well.
Q: If there is more than one keyboard in the same room, are you able to distinguish them and to recover all keystrokes?
A: Yes, each keyboard can be distinguished even if they comes from the same manufacturer and share the same model (more information in our paper).
Q: Are wireless keyboards vulnerable as well?
A: Yes, they are :-)