Sniffing keystrokes via laser and keyboard power

Sniffing keystrokes via laser and keyboard power

Summary: Presenters at the CanSecWest security conference detailed on Thursday how they can sniff data by analyzing keystroke vibrations using a laser trained on a shiny laptop.


The arrow is pointing to what a stroke on the space bar looks like on a spectrogram. (Credit: Inverse Path)

VANCOUVER, B.C.--Presenters at the CanSecWest security conference detailed on Thursday how they can sniff data by analyzing keystroke vibrations using a laser trained on a shiny laptop or through electrical signals coming from a PC connected to a PS/2 keyboard and plugged into a socket.

Using equipment costing about $80, researchers from Inverse Path were able to point a laser on the reflective surface of a laptop between 50 feet and 100 feet away and determine what letters were typed.

Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping that's typically used for speech recognition applications, to measure the similarity of signals.

Line-of-sight on the laptop is needed, but it works through a glass window, they said. Using an infrared laser would prevent a victim from knowing they were being spied on.

The only real way to mitigate against this type of spying would be to change your typing position and mistype words, Barisani said.

Also from CanSecWest:
- Hacker exploits IE8, Firefox, Safari
- Questions for Pwn2Own hacker Charlie Miller

In the second attack method, the researchers were able to spy on the keystrokes of a computer which was using a PS/2 keyboard through a ground line from a power plug in an outlet 50 feet away.

"Information leaks to the electric grid," said Barisani. "It can be detected on the power plug, including nearby ones sharing the same electric line" as the victim's computer.

The researchers used a digital oscilloscope and analog-digital converter, as well as filtering technology to isolate the victim's keystroke pulses from other noise on the power line.

Their initial test, which took about five days to prepare and perform, enabled them to record individual keystrokes but not continuous data such as words and sentences, though they expect to be able to do that within a few months, Barisani said.

In addition to being used to sniff a neighbor's keystrokes in a nearby room, the attack could be used to sniff data from ATM machines that use PS/2 or similar keypads, Barsani said. The attack does not work against laptops or USB keyboards, he said.

The attacks are similar to other recent research that involves sniffing keystrokes through a wireless antenna.

And of course there is the big daddy of these types of remote sniffing attacks, TEMPEST, which allows someone with a lot of expensive equipment to sniff the electromagnetic radiation emanating from a video display.

The new attacks are easier and can be accomplished at lower cost, the researchers said.

This article was originally posted on CNET News.

Topics: Laptops, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Meh

    Keystrokes make noises. The frequency spectrum of each key on the keyboard is unique. Lasers have been used to detect sound for decades. So, using a laser to sniff keystrokes is the obvious next step. I'm sure this practice is well established by now.
    • Though I wonder how well the electrical

      technique works when the computer is plugged into a battery backup/surge protector unit?
      • I think the real issue is how accessible is the technology to do this?

        If it's very accessible then we have a problem. If it requires a lot of work then we're fine because the people who really have to worry (secure government facilities) should already have solutions for this.

        The only thing new here may be the costs and accessibility of this type of spying.

        As for the UPS/surge protector making a difference I doubt it. It may scramble the signal more, but the data is not lost. According to the laws of entropy information cannot be destroyed it can only be created.

        If the UPS scrambles it enough that the information is hard to retrieve then that may be enough. However, if you really need this kind of security then I would expect a bit more than a UPS as your solution.
        • Solution

          So how much is it worth to these secure government facilities if I tell them the answer? I am starving and they are rolling in dough, and they may even use it against me.

          Oh, what the heck. Let's try an M-G set. Just an itty bitty motor-generator set, AC in and DC out or AC both sides with a rectifier on the output. You are transmitting power from one circuit to the other mechanically, not electrically. If that won't fly, there's more where that came from, for a price.
          • With current technology that's probably enough

            however, that would only weaken the signal not eliminate it. Then again destroying office documents with an atom bomb doesn't destroy the data, it just makes it so hard to rebuild that it's "practically" impossible.

            Of course to know how effective any solution would be, you must test it in a real world situation.
        • ??

          Is it actually being transmitted THROUGH the wire into the outlet? Or (what I thought it was talking about) that they could read the magnetic interference leakage? If thats the case I don't think a UPS would make much of a difference.
          • Oscilloscopes connect to lines

            They do not read magnetic interference, at least not directly.

            Although, EMF leaks are an issue too. However, government and military installations have considered EMF leaks for decades as well as the issue of EMF pulses (which can be used as weapons, and are a by product of nukes). So at least they would likely have very good solutions for such problems by now.
      • Only with specific type(s)

        A real UPS, one utilizing a battery charger converting AC to DC and charging batteries, which then power an inverter, converting DC to AC, would do it. This interrupts the ground loop, breaking the cycle.

        The standard UPS of today would not. They're switching units, switching to an on state when disruption is detected, keeping the standard ground loop in place at all times.
        Dr. John
  • Guess it's not a joke

    I had to check the date when I read about "dynamic time warping". Didn't you post this nine days too early?
    • No, it's not a joke

      Dynamic Time Warping is indeed a "fishy" name, but it's a real algorithm nevertheless:
  • This is old hat

    There are groups (not to be named) that have been doing this type of thing for a very long time.
    Keeping Current
    • Same thing I said

      in different words though. I can say at least one name KGB...