Compromising Electromagnetic Emanations of Wired and Wireless

Keyboards

Presented By: Justin Rilling

Written By: Martin Vuagnoux and Sylvain Pasini

Outline- Introduction- Paper Contributions- Experimental Setup - Description of Attacks- Results- Countermeasures- Comments- Questions

Introduction- This paper evaluates four types of keyboards (PS/2, USB, laptop, and wireless)- Defines four types of attacks. All the keyboards tested where vulnerable to at least one type of attack (One attack recovered 95% of keystrokes 20m from the keyboard through walls)- Tests electromagnetic vulnerability in different environmental scenarios (Low noise, office, adjacent office, and building)

Contribution- Determined the practical feasibility of eavesdropping on keystrokes- Used the “Full Spectrum Acquisition Method” to detect electromagnetic radiation that may be missed by traditional methods

Experimental Setup

Falling Edge Transition Technique (FETT)

000 1 00 1 00 1 1

Start BitScan Code0x24 = ‘E’ Odd Parity Bit

Stop Bit

Falling Edge Transition Technique (FETT)

- Were able to detect the falling edges of the PS/2 data line- On average, can reduce the keystroke to 2.42 possible keys

The Generalized Transition Technique (GTT)

- A band-pass (105-165MHz) filter is used to improve the SNR which allows the authors to extract the rising and falling edges of the data line

Threshold Line

0 0 0 1 0 0 1 0 0 1 1

The Modulation Technique (MT)- They were also able to find frequency and amplitude modulated harmonics at 124MHz that correspond to the data and clock signals - This attack is able to fully recover all keystrokes- These types of electromagnetic waves are interesting because they carry further than those discussed in the previous two attacks

The Matrix Scan Technique (MST)

Driver Driver Driver

Detector

Detector

Detector

…

…

…

w

s

x

e

d

c

q

a

z

The Matrix Scan Technique (MST)- This attack worked on almost every keyboard- On average, could reduce the keystroke to 5.14 possible keys

AccuracyGTT - Able to recover all keystrokes correctlyMT - Able to recover all keystrokes correctlyFETT - Can reduce the keystroke to 2.42 possible keys on averageMST - Can reduce the keystroke to 5.14 possible keys on average

Effectiveness on Various Types of Keyboards

Range of Attack

Low Noise Scenario Office Scenario

Countermeasures- Shield keyboard, cable, motherboard and room- Encrypt bi-directional (PS/2) serial cable- Obfuscate scan matrix loop routine

Comments- Very thorough testing - Could improve the explanation of the building test scenario- Would have been interesting if they tested the outlined countermeasures

Questions ???