Tuesday, 21 October 2008

How private is private? Not so much.

Swiss PhD students from Swiss Ecole Polytechnique Federale de Lausanne have been trying to sniff data as it is typed on a keyboard. That is something that they are supposed to do since they work in the Security and Cryptography Laboratory there. They have been listening to the radio signals emitted by keyboards including laptop keyboards. They were doing this mostly with keyboards that were not attached to PCs to reduce the amount of radio mush that was in the environment. A quick attempt to recreate the experiment using a $4 radio purchased at Woolworths did not give any results but there is no doubt that snooping of this sort can be done.

The traditional way of using a radio to snoop on a computer was to look for emanations from a CRT – a conventional monitor has an electron stream whipping backwards and forwards, painting a frame dozens of times a second. With a monochrome monitor, this was easy enough but much harder with colour – and the higher resolution made it harder still. There was a paper written by Wim van Eck, a Dutch researcher, back in 1985 which described the technique. This became known as TEMPEST (Transient Electromagnetic Pulse Emanation Standard). This wasn’t too hard from CRTs because there was a lot of power going through the monitor and accordingly a lot of radio emanations to tap into.

There was also a technique referred to as optical TEMPEST that used the same principle as the light guns on the old Nintendo Entertainment System. The electron beam swept the screen 50 times a second on a conventional TV – actually twice 25 as the frame was interlaced with half of the picture painted each time. When the trigger was pulled on the light gun, the target (for example, a duck) blinked white and the light gun would, if correctly aimed, see this in its narrowly focussed barrel with its crude light sensor. No flash? You were not aimed at the target.

However, this could be refined. You could have a very fast camera look at the screen and record the variations in the luminance of the screen and work out what was being shown on screen. Ok, not so interesting because you can see the screen anyhow – but here was the kicker. You didn’t have to see the screen, only the light from the screen. That is reflected from things in the room and can, with the right equipment, be detected from a long way off. The reflection would vary microsecond by microsecond giving you a fuzzy rendition of the screen after much processing. Of course, none of this works with LCD monitors because they don’t scan that way. The monitor is always back lit and pixels change when they change – or more accurately, the red, green and blue elements change and several of these make up a pixel. Because the old techniques don’t work as well with LCD monitors, research has moved on to detecting the much smaller signals output by the digital electronics. This is a trickier proposition but not impossible, as has been shown here. In practice, it would be harder still to do because computers rarely live in an electrically quiet environment. They are often surrounded by other computers and sources of radio emissions. I am writing this from home and I live in the countryside. I can “see”:

- 4 wireless networks, one of which is mine
- My mobile phone which is connected to the provider, the wireless network and via Bluetooth to a keyboard
- My PC wireless keyboard
- My PC wireless mouse
- My toothbrush (I have an Oral B Triumph and it has its own wireless network. Why yes, I am a geek. Thanks for noticing)

Because it is cold, the fan heater is on and it is generating radio mush. I am listening to one of my favourite folk singers and the room is wired for Dolby surround sound and none of the speaker wires are shielded. Come to that, nor is the phone line that is carrying the broadband that I am posting this with is not shielded. That will be generating some noise. That is in a quiet country location. Imagine how much worse a city office is.

Of course, there is one advantage to these techniques over conventional key logging software that runs on the PC. These are undetectable. Key loggers can be detected if you know how they hide. However, key loggers can work even inside a Faraday cage. Still happy that your system is all that private?

Signing off

Mark Long, Digital Looking Glass Ltd

No comments: