3. First Attack: Theory
4. The PS/2 Signal
6. Data Analysis
8. Attack Scenario and Workarounds
9. Second Attack: Theory
11. Data Analysis
13. Attack Scenario and Workarounds
--[ 0. DISCLAIMER
All the equipment and/or circuits and/or schematics provided in the
presentation must be treated as examples, use the presented information at your
own risk, remember safety first.
--[ 1. Introduction
The exploitation of Electromagnetic Emanations andsimilar Side Channels has
always been one of the most interesting and "exotic" areas of attack in the
In the late 60's and early 70's the term TEMPEST was coined to title an NSA
operation which aimed to secure electronic equipment from leakage of
compromising emanations. Well known TEMPEST research describes remote
eavesdropping of CRT displays and most recently LCD displays,as well as
optical emanations from appliances LED indicators.
Our research details two attacks, one against wired PS/2 keyboards, the other
against laptop keyboards using respectively power line leakage and optical
sampling of mechanical energy.
We describe how using relatively cheap homemade hardware we can implement basic
but powerful techniques for remotely eavesdropping keystrokes.--[ 2. Motivation
The two presented attacks partially builds upon existing concepts and
techniques, but while some of the ideas might have been publicly hinted, no
clear analysis and demonstration has ever been presented as far as we know.
Our goal is to show that information leaks in the most unexpected ways and can
be indeed retrieved. If our small research was able to accomplishacceptable
results in a brief development time (approximately a week of work) and with
cheap hardware, consider what a dedicated team or government agency can
accomplish with more expensive equipment and effort.
We think it is important to raise the awareness about these unconventional
attacks and we hope to see more work on this topic in the future.
Last but not least.....hardwarehacking is cool and everyone loves laser beams
(this will make sense).
--[ 3. First Attack - Theory
The PS/2 cable of wired keyboards and mice carries the following wires:
- Pin 1: Data / 6||5 \
- Pin 3: Ground | 4 || 3 |
- Pin 4: +5 V DC \ 2 1 /
- Pin 5: Clock ----
- Pin 2/6:Unused
As the wires are very close and not shielded against each other it is theorized
that a fortuitous leakage of information goes from the data wire to the ground
wire and/or cable shielding due to electromagnetic coupling.
The ground wire as well as the cable shielding are routed to the main power
adapter/cable ground which is then connected to the power socket and finally
This eventually leads to keystrokes leakage to the electric grid which can then
be detected on the power plug itself, including nearby ones sharing the same
There might be other factors responsible in minor part for the signal
interference like power fluctuations of the keyboard microcontroller, they are
difficult to pinpoint but if present they can only augment theinformation
The clock frequency of the PS/2 signal is lower than any other component or
signal emanated from the PC (everything else is typically above the MHz), this
allows noise filtering and keystrokes signal extraction.
There has been some documentation suggesting the possibility of this attack in
literature, though no extensive research is available. Recently a separate...
Leer documento completo
Regístrate para leer el documento completo.