Computer Keyboards Betray Users' Keystrokes To Radio Eavesdroppers

Two Swiss security researchers from the Security and Cryptography Laboratory at the Ecole Polytechnique Federale De Lausanne have published a video demonstrating how the electronic emanations from wired computer keyboards can be deciphered to reveal the user's keystrokes.

Using a laptop connected to a PS/2 keyboard, one of the researchers in the video typed the words, "Trust No One," in a nod to fans of The X-Files. The video then shows a program receiving data from an eavesdropping antenna and then converting that data into the typed words.

"We found four different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls," explain Martin Vuagnoux and Sylvain Pasini in an online post. "We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB, and laptop). They are all vulnerable to at least one of our four attacks."

The Kuhn attack refers to a computer security research paper published in 1998 by Markus G. Kuhn and Ross J. Anderson that describes the threat of a "Tempest virus" that "can attack computers not connected to any communication lines and situated in rooms from which the removal of storage media is prohibited."

Tempest is a code name used by the government to refer to a program to secure electronic devices from leaking information in the form of radio frequency waves, or electronic emanations. Some security researchers see Tempest as an acronym that stands for "TEMPorary Emanation and Spurious Transmission," though others offer alternate interpretations.

The Kuhn/Anderson paper focuses on reading radio frequency waves emanating from computer monitors.

But as the demonstration by Vuagnoux and Pasini suggests, any device that emits radio frequency waves may be vulnerable to a sophisticated eavesdropper. The two researchers conclude that wired keyboards are not safe to transmit sensitive information.

Given the risks of wireless keyboards, which require even less sophistication to intercept, it appears there is no safe way to enter sensitive information into a computer, apart from Tempest-protected equipment as described by various national communication security information memorandums.

But in all likelihood NSA spooks with antennas aren't waiting for you to type your bank logon details. So there's no need to panic yet. As to when cybercriminals might adopt this technique and go "wardriving" for logon details, that's a different question, one that may merit more than cursory consideration in coming years.

At the Black Hat conference in August, Eric Filiol, the head scientist at the French Army Signals Academy's Virology and Cryptology Lab, demonstrated a related form of a Tempest attack. He showed how malware could be used to encode a user's password into the Windows startup tone audio file and broadcast the encoded information in an audible sound that could be received using a microphone and deciphered.

Vuagnoux and Pasini say they plan to publish more information about their attack soon.