How to use electrical outlets and cheap lasers to steal data

Eugen Leitl eugen at leitl.org
Mon Oct 5 10:03:43 PDT 2009 

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdocs/news/2009/070909-electrical-data-theft.html&pagename=/news/2009/070909-electrical-data-theft.html&pageurl=http://www.networkworld.com/news/2009/070909-electrical-data-theft.html&site=security

How to use electrical outlets and cheap lasers to steal data

Researches plan to demonstrate security weaknesses of keyboards at Black Hat.

By Tim Greene , Network World , 07/09/2009

If attackers intent on data theft can tap into an electrical socket near a
computer or if they can draw a bead on the machine with a laser, they can
steal whatever is being typed into it.

How to execute these attacks will be demonstrated at the Black Hat USA 2009
security conference in Las Vegas later this month by Andrea Barisani and
Daniele Bianco, a pair of researchers for network security consultancy
Inverse Path.

bThe only thing you need for successful attacks are either the electrical
grid or a distant line of sight, no expensive piece of equipment is
required,b Barisani and Bianco say in a paper describing the hacks.  Diagram
showing where data is stolen Click to see: Diagram showing where data is
stolen

The equipment to carry out the power-line attack could cost as little as
$500, and the laser attack gear costs about $100 if the attacker already owns
a laptop with a sound card, says Barisani. Carrying out the attacks took
about a week, he says.

bWe think it is important to raise the awareness about these unconventional
attacks and we hope to see more work on this topic in the future,b Barisani
and Bianco say in their paper. Others with more time and money could
doubtless create better spying tools using the same concepts, they say.

In the power-line exploit, the attacker grabs the keyboard signals that are
generated by hitting keys. Because the data wire within the keyboard cable is
unshielded, the signals leak into the ground wire in the cable, and from
there into the ground wire of the electrical system feeding the computer. Bit
streams generated by the keyboards that indicate what keys have been struck
create voltage fluctuations in the grounds, they say.

Attackers extend the ground of a nearby power socket and attach to it two
probes separated by a resistor. The voltage difference and the fluctuations
in that difference b the keyboard signals b are captured from both ends of
the resistor and converted to letters.

To pull the signal out of the ground noise, a reference ground is needed,
they say. bA breferenceb ground is any piece of metal with a direct physical
connection to the Earth, a sink or toilet pipe is perfect for this purpose
(while albeit not very classy) and easily reachable (especially if you are
performing the attack from [a] hotel room,b they say in their paper.  Since
keyboards and mice signals are in the 1 to 20 kHz range, a filter can isolate
that range for listening, they say.

Variations in individual keyboards and mice result in each keyboard signaling
in a slightly different frequency range. With careful filtering, that makes
it possible to zero in on a particular keyboard in an environment where many
keyboards are in use, the researchers say.

The attack proved successful when tapping electric sockets located up to 15
meters from where the target computer was plugged in the researchers say.

This method would not work if the computer were unplugged from the wall, such
as a laptop running on its battery. The second attack can prove effective in
this case, Biancobs and Barisanibs paper says.

Attackers point a cheap laser, slightly better than what is used in laser
pointers, at a shiny part of a laptop or even an object on the table with the
laptop. A receiver is aligned to capture the reflected light beam and the
modulations that are caused by the vibrations resulting from striking the
keys.

This modulation is converted to an electrical signal that is fed into a
computer soundcard. bThe vibration patterns received by the device clearly
show the separate keystrokes,b the researchersb paper says. Each key has a
unique vibration pattern that distinguishes it from the rest. The spacebar
creates a significantly different set of vibrations, so the breaks between
words are readily apparent.

Analyzing the sequences of individual keys that are struck and the spacing
between words, the attacker can figure out what message has been typed.
Knowing what language is being typed is a big help, they say.

Laptop lids, especially shiny logos and areas close to the hinges, provide
the most easily read vibrations.

Anyone worried about this type of attack can make sure there is no line of
sight to the laptop, move position frequently while typing and polluting the
signal by striking random keys and later deleting them with the backspace
key.

While they admit their hacking tools are rudimentary, they believe they could
be improved upon with a little time, effort and backing.

bIf our small research was able to accomplish acceptable results in a brief
development time (approximately a week of work) and with cheap hardware,b
they say. bConsider what a dedicated team or government agency can accomplish
with more expensive equipment and effort,b

More information about the cypherpunks-legacy mailing list