compromising electromagnetic emanations of wired and wireless keyboards presented by: justin rilling...
TRANSCRIPT
Compromising Electromagnetic Emanations of Wired and Wireless
Keyboards
Presented By: Justin Rilling
Written By: Martin Vuagnoux and Sylvain Pasini
Outline- Introduction- Paper Contributions- Experimental Setup - Description of Attacks- Results- Countermeasures- Comments- Questions
Introduction- This paper evaluates four types of keyboards (PS/2, USB, laptop, and wireless)- Defines four types of attacks. All the keyboards tested where vulnerable to at least one type of attack (One attack recovered 95% of keystrokes 20m from the keyboard through walls)- Tests electromagnetic vulnerability in different environmental scenarios (Low noise, office, adjacent office, and building)
Contribution- Determined the practical feasibility of eavesdropping on keystrokes- Used the “Full Spectrum Acquisition Method” to detect electromagnetic radiation that may be missed by traditional methods
Experimental Setup
Falling Edge Transition Technique (FETT)
000 1 00 1 00 1 1
Start BitScan Code0x24 = ‘E’ Odd Parity Bit
Stop Bit
Falling Edge Transition Technique (FETT)
- Were able to detect the falling edges of the PS/2 data line- On average, can reduce the keystroke to 2.42 possible keys
The Generalized Transition Technique (GTT)
- A band-pass (105-165MHz) filter is used to improve the SNR which allows the authors to extract the rising and falling edges of the data line
Threshold Line
0 0 0 1 0 0 1 0 0 1 1
The Modulation Technique (MT)- They were also able to find frequency and amplitude modulated harmonics at 124MHz that correspond to the data and clock signals - This attack is able to fully recover all keystrokes- These types of electromagnetic waves are interesting because they carry further than those discussed in the previous two attacks
The Matrix Scan Technique (MST)
Driver Driver Driver
Detector
Detector
Detector
…
…
…
w
s
x
e
d
c
q
a
z
The Matrix Scan Technique (MST)- This attack worked on almost every keyboard- On average, could reduce the keystroke to 5.14 possible keys
AccuracyGTT - Able to recover all keystrokes correctlyMT - Able to recover all keystrokes correctlyFETT - Can reduce the keystroke to 2.42 possible keys on averageMST - Can reduce the keystroke to 5.14 possible keys on average
Effectiveness on Various Types of Keyboards
Range of Attack
Low Noise Scenario Office Scenario
Countermeasures- Shield keyboard, cable, motherboard and room- Encrypt bi-directional (PS/2) serial cable- Obfuscate scan matrix loop routine
Comments- Very thorough testing - Could improve the explanation of the building test scenario- Would have been interesting if they tested the outlined countermeasures
Questions ???