Comments on: I can hear you typing...

Question: I can hear you typing...

disillusioned — Sun, 20 Jan 2008 22:42:54 -0800

Hi-tech key and datalogging: What crazy methods for remotely monitoring datastreams have you heard of?

I was talking to a friend about something related to keystroke monitoring, and I remembered hearing that some people had developed a proof of concept on monitoring keystrokes by their auditory signature—the sound of the user typing could be correlated to their keystokes based on frequency.

I also have heard of users being able to monitor LED light activity on an Ethernet interface to decode the data being sent...

And I think I saw something about being able to tap the EMI signal from a VGA cable, but I think the last two are nearly complete bullshit.

Can anyone cite any sources for those three methods? Or list any other crazy methods?

Many thanks!

By: cmonkey

cmonkey — Sun, 20 Jan 2008 22:46:46 -0800

Crafty types can eavesdrop on the contents of computer monitors.

By: pupdog

pupdog — Sun, 20 Jan 2008 23:46:56 -0800

van eck was what I came to mention, i also remember reading something about 'acoustic keylogging', but i think that it required a pretty hefty sample of known input to compare against. Kinda like how telegraph operators in WWII could be identified from their 'fist', or keying style.

By: hattifattener

hattifattener — Mon, 21 Jan 2008 00:56:53 -0800

Van Eck is the guy who's usually credited with CRT eavesdropping. TEMPEST is the US military certification for resisting such eavesdropping, but you'll often hear the eavesdropping itself called TEMPEST. I'm pretty sure that "Van Eck phreaking" is a misnomer that derives from Cryptonomicon.

You can eavesdrop on emissions from lots of things; serial cables (including pre-USB keyboard cables) are an excellent target. I no longer have a copy but I read an article on keyboard sniffing with an FM radio and simple hardware. (There was an unintended oscillation which was modulated by ground-bounce in the cable ... or something like that.) Computers are very noisy electromagnetically and almost all that noise carries some information about what the computer is doing.

pupdog, allegedly ten minutes of keyboard activity is enough to build a useful set of statistics: see here.

By: zabuni

zabuni — Mon, 21 Jan 2008 02:34:14 -0800

You don't even need to listen:

Timing Analysis of Keystrokes and Timing Attacks on SSH

By: enn

enn — Mon, 21 Jan 2008 06:06:59 -0800

Some researchers have done work on reconstructing the image on a CRT by monitoring the light levels so that, for example, even if you can't see the monitor itself, you can get an idea of its contents by looking at the flickering of the light reflected off walls. Unfortunately, I could only find this fairly technical paper [pdf].

Here are some interesting ideas on using the sound emanating from a motherboard to perform timing attacks.

All of these are types of side-channel attacks.

By: fishfucker

fishfucker — Mon, 21 Jan 2008 08:55:51 -0800

I also have heard of users being able to monitor LED light activity on an Ethernet interface to decode the data being sent...

Anecdotal, but when I was working in the tech security industry in the early 2000s, there was definitely a big to-do about this. Turns out that the light on modems/routers, etc would blink out the data stream (ie, 1 on, 0 off), and it was possible to decode this.

Interestingly enough, radio shack used to put out a cheap rolodex portable that used a similar principle to transfer data: instead of using infrared (the hot shit at the time), you'd hold the device up to your floppy drive light and it would blink out the data.

Here's an apparent cite, although I'll admit I haven't read it: Information Leakage from Optical Emanations (PDF) -- [Google HTML] . I think activity lights are no longer a direct on-off with the data stream because of this, but I haven't been following the trends in security for several years.

I've also been privy to hearsay about TEMPEST/CRT eavesdropping. When I visited Boeing with my company in early Sept 2001, they had a Faraday cage at the entrance to their building which our escort told us was there to cut down on this sort of thing (and probably cell phone/radio transmissions etc etc). Anyhow, it was serious enough that the big dogs were doing something about it.

By: fishfucker

fishfucker — Mon, 21 Jan 2008 08:58:01 -0800

Anecdotal, but when I was working in the tech security industry in the early 2000s, there was definitely a big to-do about this. Turns out that the light on modems/routers, etc would blink out the data stream (ie, 1 on, 0 off), and it was possible to decode this.

oh, and PS, there was also the classic story going around about the bumbling corporate response; something along the lines of how there were million-dollar studies on ways to defeat it, etc, etc, and then when it came down to it, most ops simply put a piece of duct tape over the led light.

By: Civil_Disobedient

Civil_Disobedient — Mon, 21 Jan 2008 16:34:49 -0800

able to tap the EMI signal from a VGA cable

Most cables are shielded enough to make this a fruitless exercise, but regardless... why bother? The cathode ray tube the VGA cable is plugged into will emit more than enough radiation to get a picture from a few dozen feet away.

By: jewzilla

jewzilla — Thu, 07 Feb 2008 08:55:52 -0800

It wasn't VGA but I used to be able to see a ghost of my computer monitor on my TV (on a different floor of the house) back in the early 90s. Enough that I could see the outlines of windows. Of course, I don't know if it was the graphics hardware emitting the EMI, the CRT, or the cable.