Compromising Electromagnetic Emanations of Wired and Wireless Keyboards

Computer keyboards are often used to transmit confidential data such as passwords. Since they contain electronic components, keyboards eventually emit electromagnetic waves. These emanations could reveal sensitive information such as keystrokes. The technique generally used to detect compromising emanations is based on a wide-band receiver, tuned on a specific frequency. However, this method may not be optimal since a significant amount of information is lost during the signal acquisition. Our approach is to acquire the raw signal directly from the antenna and to process the entire captured electromagnetic spectrum. Thanks to this method, we detected four different kinds of compromising electromagnetic emanations generated by wired and wireless keyboards. These emissions lead to a full or a partial recovery of the keystrokes. We implemented these sidechannel attacks and our best practical attack fully recovered 95% of the keystrokes of a PS/2 keyboard at a distance up to 20 meters, even through walls. We tested 12 different keyboard models bought between 2001 and 2008 (PS/2, USB, wireless and laptop). They are all vulnerable to at least one of the four attacks. We conclude that most of modern computer keyboards generate compromising emanations (mainly because of the manufacturer cost pressures in the design). Hence, they are not safe to transmit confidential information.

[1]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Markus G. Kuhn,et al.  Soft Tempest { An Opportunity for NATO , 1999 .

[3]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .

[5]  Peter Smulders,et al.  The threat of information theft by reception of electromagnetic radiation from RS-232 cables , 1990, Comput. Secur..

[6]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[7]  Arie Yeredor,et al.  Dictionary attacks using keyboard acoustic emanations , 2006, CCS '06.

[8]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[9]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[10]  Yvo Desmedt,et al.  How to Break a Practical MIX and Design a New One , 2000, EUROCRYPT.

[11]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[12]  C. Gordon Bell Computer Engineering , 1998 .

[13]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[14]  U Moeller,et al.  Mixmaster Protocol Version 2 , 2004 .

[15]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[16]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[17]  Nicholas Hopper,et al.  Don't Clog the Queue! Circuit Clogging and Mitigation in P2P Anonymity Schemes , 2008, Financial Cryptography.

[18]  Yunhao Liu,et al.  Rumor Riding: Anonymizing Unstructured Peer-to-Peer Systems , 2006, IEEE Transactions on Parallel and Distributed Systems.

[19]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[20]  Matthew K. Wright,et al.  Salsa: a structured approach to large-scale anonymity , 2006, CCS '06.

[21]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  G. Leech,et al.  Word Frequencies in Written and Spoken English: based on the British National Corpus , 2001 .

[23]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[24]  Sotiris Ioannidis,et al.  Compromising Anonymity Using Packet Spinning , 2008, ISC.

[25]  Steven J. Murdoch,et al.  Covert channel vulnerabilities in anonymity systems , 2007 .

[26]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[27]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[28]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[29]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[30]  Dan Tsafrir,et al.  Secretly Monopolizing the CPU Without Superuser Privileges , 2007, USENIX Security Symposium.

[31]  L. Bergroth,et al.  A survey of longest common subsequence algorithms , 2000, Proceedings Seventh International Symposium on String Processing and Information Retrieval. SPIRE 2000.

[32]  Klaus Wehrle,et al.  Dynamic Multipath Onion Routing in Anonymous Peer-To-Peer Overlay Networks , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[33]  R. Dingledine,et al.  Design of a blocking-resistant anonymity system , 2006 .

[34]  Markus G. Kuhn Security Limits for Compromising Emanations , 2005, CHES.

[35]  G. Danezis,et al.  Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity , 2007 .

[36]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[37]  Flemming Nielson,et al.  Securing Statically-verified Communications Protocols Against Timing Attacks , 2005, PASM.

[38]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[39]  Reihaneh Safavi-Naini,et al.  Design Principles for Low Latency Anonymous Network Systems Secure against Timing Attacks , 2007, ACSW.

[40]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Jonathan T. Trostle,et al.  Timing attacks against trusted path , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[42]  Wim van Eck,et al.  Electromagnetic radiation from video display units: An eavesdropping risk? , 1985, Comput. Secur..

[43]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[44]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[45]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[46]  Claudia Díaz,et al.  Generalising Mixes , 2003, International Symposium on Privacy Enhancing Technologies.

[47]  Abdelaziz Kriouile,et al.  Automatic word recognition based on second-order hidden Markov models , 1994, IEEE Trans. Speech Audio Process..

[48]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[49]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[50]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[51]  Hidema Tanaka,et al.  Information Leakage Via Electromagnetic Emanations and Evaluation of Tempest Countermeasures , 2007, ICISS.

[52]  Gopal K. Gupta,et al.  Identity authentication based on keystroke latencies , 1990, Commun. ACM.

[53]  Bernard C Nalty The War Against Trucks: Aerial Interdiction in Southern Laos, 1968-1972 , 2005 .

[54]  Bernhard Plattner,et al.  Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection , 2002, WPES '02.

[55]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[56]  Robert Tappan Morris,et al.  Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layer , 2002, IPTPS.

[57]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[58]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2005, CCS '05.

[59]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[60]  Ingrid Verbauwhede,et al.  Differential power and electromagnetic attacks on a FPGA implementation of elliptic curve cryptosystems , 2007, Comput. Electr. Eng..

[61]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[62]  Birgit Pfitzmann,et al.  ISDN-MIXes: Untraceable Communication with Small Bandwidth Overhead , 1991, Kommunikation in Verteilten Systemen.