Boffins sniff keystrokes with lasers, oscilloscopes

Eugen Leitl eugen at
Wed Mar 25 09:55:21 PDT 2009 

Boffins sniff keystrokes with lasers, oscilloscopes

I know what you typed last summer

By Dan Goodin in Vancouver

Posted in Security, 19th March 2009 23:30 GMT

CanSecWest Researchers have devised two novel ways to eavesdrop on people as
they enter passwords, emails, and other sensitive information into computers,
even when they're not connected to the internet or other networks.

Exploiting vibrational patterns and electromagnetic pulses that emanate with
every character entered, the Italian researchers are able to remotely sniff
keystrokes from significant distances. The techniques use inexpensive
equipment and can be hard for targets to detect, making them ideal for
snooping on unsuspecting people in the office or building next door.

"The data is there," Andrea Barisani, of security firm Inverse Path, told
those attending the CanSecWest security conference in Vancouver, British
Columbia. "That's the important thing you need to know: whenever you type
your data goes somewhere else. Not many people think about that."

The first method involves the use of laser microphones, which have long been
the stuff of thrillers with spies who eavesdrop on conversations spoken from
afar. By pointing the devices at windows, snoops can read the sound waves and
then reconstruct the words that are being spoken.

Barisani, who was joined on stage by fellow Inverse Path colleague Daniele
Bianco, said laser microphones can be trained on a laptop computer or desktop
keyboard to similarly read the characters being entered. Because each
keystroke has a distinctly different sound vibration, it is possible to
remotely discern the characters by capturing the sound and then subjecting it
to analysis.

The process is akin to the way secret codes are often cracked. An
eavesdropper first figures out which sound represents the space bar. From
there, he compares the input against words in a dictionary for likely
matches. The more input the device picks up, the more accurate it becomes.
Because keystrokes sound different for different people, a snoop would need
to learn the distinctive sounds of each person being spied on.

Of course, the technique requires the eavesdropper to have a clean line of
sight to the target PC, but it remains suitable for snooping on people typing
in public places or next to windows. An attacker can also use one line of
sight to point the laser on the victim and a separate straight line to
receive the signal that's bounced back for analysis. What's more, infrared
lasers can be used to escape detection.  There is another way

The second spying method uses electro-magnetic pulses to discern which key
has been tapped. By tapping into the local grid that's powering the target
PC, an attacker can measure leaked electrical currents that change with every
keystroke. The patterns are captured using an oscilloscope and then subjected
to filtering, which can isolate each individual keystroke. The technique
works at distances of 15 meters, but the researchers said with more expensive
equipment it could work as far away as 100 meters.

The technique does come with one significant limitation: It works only for
keyboards using a PS/2 connector. USB keyboards and keyboards for laptops are
immune, and Barisani said it will be hard to overcome the limitation.

The techniques outlined Thursday contribute to research first disclosed in
October (
by scientists in Switzerland. They showed it was possible to use a variety of
methods to capture keystrokes of PS/2, universal serial bus or laptop
keyboards. The researchers, from the Security and Cryptography Laboratory at
Ecole Polytechnique Federale de Lausanne, are expected to formally release
their research paper soon.

Despite their limitations, the more recent techniques remain impressive
because they use off-the-shelf components that can be put together at little
expense and without much expertise. The method involving the laser microphone
costs only about $80. The other comes to less than $200.

It's also worth noting that Barisani and Bianco developed the techniques in
their spare time over the course of some five weeks.

"We're part-time hackers working on weekends," Barisani said. "Imagine what a
determined government agency can do."

More information about the cypherpunks-legacy mailing list