Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Georgia Institute of Technology Researchers Bridge the Airgap 86

An anonymous reader writes Hacked has a piece about Georgia Institute of Technology researchers keylogging from a distance using the electromagnetic radiation of CPUs. They can reportedly do this from up to 6 meters away. In this video, using two Ubuntu laptops, they demonstrate that keystrokes are easily interpreted with the software they have developed. In their white paper they talk about the need for more research in this area so that hardware and software manufacturers will be able to develop more secure devices. For now, Faraday cages don't seem as crazy as they used to, or do they?
This discussion has been archived. No new comments can be posted.

Georgia Institute of Technology Researchers Bridge the Airgap

Comments Filter:
  • Add noise (Score:5, Interesting)

    by Anonymous Coward on Thursday January 29, 2015 @09:07AM (#48931071)

    I was working at a defense contractor in the '80's when the whole "Tempest" program started.

    Rather than shield equipment, we simply added a small amount of broadband noise.

    The problem isn't to limit emission: The problem is to frustrate detection.

    • Re:Add noise (Score:5, Interesting)

      by Crashmarik ( 635988 ) on Thursday January 29, 2015 @09:15AM (#48931101)

      Really it's amazing how easy it is for people to forget things like Van Eck phreaking http://en.wikipedia.org/wiki/V... [wikipedia.org] have been around for going on three decades now

      • by cdrudge ( 68377 )

        I was working at a defense contractor in the '80's when the whole "Tempest" program started.

        Really it's amazing how easy it is for people to forget things like Van Eck phreaking have been around for going on three decades now

        No, I don't thing people are forgetting things have been going on for three decades...

        • I think the main problem is that many people on here aren't old enough to remember those things in the first place. TEMPEST was big in the 80s and early 90s, but outside of military and electronic payment circles, people haven't been too concerned about it in the last 15 years. So it could possibly be new to a lot of the under-30 crowd.

    • Re: (Score:2, Informative)

      by cbelt3 ( 741637 )

      Yep. Ditto. I still recall one young smartass demonstrating to our boss that he could display what was on the Boss's computer monitor from about 30 feet away with an antenna and a circuit he built with a breadboard.

      A faraday cage IS the only way to protect against this with 100% reliability.

      • by Anonymous Coward

        Wrong: the cage only prevents the emf, none in or out. But the person in the cage needs information, therefore you break the cage by allowing filtered information access. Even that is "editable/recordable". More garbage.

        • by gnupun ( 752725 )

          What if there were five cages?
          1) computer box
          2) keyboard
          3) screen
          4) kbd cable from computer to keyboard
          5) shielded cable from computer to screen

          Won't this prevent cpu/screen/keyboard signals from being intercepted?

        • Re: Add noise (Score:4, Interesting)

          by cbelt3 ( 741637 ) <cbelt @ y a h o o.com> on Thursday January 29, 2015 @11:26AM (#48931989) Journal

          Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.

          Keep in mind that the structure of the faraday cage depends on the frequency of the data being transmitted. It does not have to be unbreakable tin foil. Properly sized metal mesh will also do the job. Just ask anyone who tries to get a Wifi signal through an old wall with expanded metal lath and plaster.

          • Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.

            this used to make sense to me, but now that I understand that light is just part of the EM spectrum, I find myself confused.

        • by gweihir ( 88907 )

          No, it does not even do that. It only weakens the signal.

      • by rtb61 ( 674572 )

        In actual use faraday cages can be readily subverted by incoming power lines. For a building wide faraday cage to be secure power lines must be conditioned to prevent data interception via subverted hardware within the faraday cage, otherwise that unsecured wire leads right from the supposedly secure hardware to a power station many kilometres away and connected to every other device hooked up to the same power source. Other things must also be looked at like water pipes, tapping into the earth circuit or

      • by gweihir ( 88907 )

        It is not. A Faraday cage is great for shielding a static E field (for this, it is perfect if made form a perfect conductor or you wait infinitely long), but it does exactly nothing for shielding the B part. Hence a Faraday cage _weakens_ electromagnetic radiation, but it does not block it completely. What you need is proper EM-shielding, which can be accomplished with any conducting material, but effect is dependent on thickness.

        It is fascinating though that you think a Faraday cage would give you 100% rel

    • Re:Add noise (Score:4, Interesting)

      by fuzzyfuzzyfungus ( 1223518 ) on Thursday January 29, 2015 @09:36AM (#48931231) Journal
      I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

      Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?
      • Re:Add noise (Score:5, Informative)

        by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Thursday January 29, 2015 @11:19AM (#48931925)

        I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

          Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?

        Well, it has lost a lot of effectiveness because we switched from CRTs to LCDs - a CRT has very distinct emission patterns because it has to drive the electron beam around. So you can detect when the syncs happen because they're driven by huge magnetic field coils on the side of the CRT in a standard frequency and pattern (vsync happens at the Hz level, hsync at the kHz level), and the amplifiers that drive the electron guns emit a lot of RF as they operate.

        These days the emissions are far lower because we're not having to accelerate an electron beam, so the amplitudes are lower. Sure you can sniff the signal cabling but unless you're using analog cabling, most external signalling use a form of encoding that's designed to minimize RF emissions. Not because of Van Eck, but because they want to spread the peaks of emissions across a broadband range which makes it easier to pass RF emissions tests (e.g., FCC emissions tests).

        So using a DVI or HDMI cable causes the signal to smear (TMDS - transition minimized differential signalling - transitions cause the big spikes in RF emissions, so if you can minimize them, you can increase rise/fall times which lowers RF emissions, spreading and smearing the signal across a wider frequency band and trying to hide it in the noise).

        Of course, most digital busses don't do this (they assume the entire system will be RF shielded), same as CPUs so with the right receiver, those signals show up pretty clearly, especially if you can compromise the RF shielding.

    • Yeah, I know that one. It's like singing in the bathroom so nobody hears you farting.

      Fortunately/unfortunately (depending on your POV) it's getting easier to detect the signal inside the noise.

  • Old news (Score:5, Insightful)

    by Anonymous Coward on Thursday January 29, 2015 @09:14AM (#48931097)

    Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

    You don't need any fancy equipment, any AM radio will do.

    • Speaking of AM radios and software on the victim computer: this classic [erikyyy.de].

      Unfortunately only works on CRTs; but it's a heartwarmingly neat trick.
      • by jtara ( 133429 )

        Very, very old news.

        We did this circa 1971 in High School, Cass Technical High School, Detroit, Michigan [wikipedia.org] placing an AM radio on the console of an IBM 1620 [wikipedia.org].

        There was a program you could load that would play a tune. But we would also just leave the radio there during normal use. We swore we could tell when the Fortran compiler was processing a FORMAT statement:

        Bloop! Bloop! (pause) Bloop! Bloop! (pause) Bloop! Bloop! (pause) Brawwwww! Brawwwwww! Brawwwwww! Brawwwwww!

        (The last bit is the FORMAT statement

    • Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

      You don't need any fancy equipment, any AM radio will do.

      Given how successful Stuxnet was at infecting across the airgap (by way of poor USB policies) it is rather plausible that you could rely on a trojan horse (in the most literal sense of the term) to get inside and start broadcasting sensitive information out, be they keystrokes or fragments of files or whatever.

    • by dissy ( 172727 )

      Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.
      You don't need any fancy equipment, any AM radio will do.

      That reminds me of the Altair 8800 [wikipedia.org] and what some call the machines first program that actually "did something", which ran various lengths of different timing loops in the CPU which had the effect of playing Fool on the Hill as RF interference on an AM radio placed near by.

      https://www.youtube.com/watch?... [youtube.com]

  • by Anonymous Coward

    security measures are security measures, whether the threat is real or perceived is irrelevant.

    • by Anrego ( 830717 ) *

      It's a risk/cost analysis.

      Tempest protected equipment is readily available from any number of suppliers. If you want to spend the price of a car for a shitty mid-range desktop that'll probably protect you from this kind of attack, the option is there and has been for some time.

    • Re:define crazy. (Score:5, Insightful)

      by fuzzyfuzzyfungus ( 1223518 ) on Thursday January 29, 2015 @09:43AM (#48931301) Journal
      The trick is that security measures have costs, in time, money, user convenience, etc. and it is considered 'crazy'(in the weak sense of 'not sensible', not the psych-ward sense) to voluntarily impose costs on yourself that are out of proportion to the costs of the expected threat.

      There's always something you could be doing more securely; but only sometimes is it worth it.
  • When I was with the government, we had to have specially shielded computers for classified material viewing (albit maybe not as good as they claimed). My office did not even possess the devices so we were only able to receive classified correspondence by secure phones or packages. This could be a problem like the rf id credit cards..you have to know what your doing to protect yourself. Maybe Apple Pay works the same way?
  • Faraday cages around what?

    If you can get that near to a keyboard, you'd just use an electronic device recording the reflection of photons off the keyboard.
    It's called a camera.

    • by cdrudge ( 68377 )

      Last I checked, cameras don't work from the adjacent office. Or floor above or below. Or any other place that would block optical spying but not from picking up EM radiation.

  • by Lawrence_Bird ( 67278 ) on Thursday January 29, 2015 @09:37AM (#48931237) Homepage

    Somehow I don't think a secure location is going to be too worried about this type of attack unless someone can show it working with an extremely small receiver which is also able to log the data for later use. Also note that even at the slow rate she was typing it still missed characters.

    So while academically interesting, this seems to be something of very limited concern. Of course, if you see an antenna like that in the coffeeshop you might want to leave.

  • Seems like there are some really easy ways to prevent some sort of EM signature from leaking.

    • people throw around the term "Faraday cage" without understanding. Real world faraday cages *attenuate*, they do not completely block signals.

      • If sufficiently attenuated then whether it is totally eliminated or not becomes irrelevant.

        What is more, if specific frequencies are specifically interfered with then snooping on the radiation becomes pointless.

        The two things people are saying works is kicking out some interference and/or blocking the signals. But really in either case you only need to infer with it to a point. Once it is garbled or attenuated enough that it cannot practically be detected/decoded then who cares. Listen to the white noise at

    • by Qzukk ( 229616 )

      Faraday cages are nice until you need to stick a wire through them to plug into the wall. Enjoy your battery life (and/or jiggawatt laser outside pointed through the mesh at a solar panel inside)

      • There's no reason it shouldn't work with a power cable going into it. I don't know what you're talking about.

        If the cage is grounded and has only very small holes in it then it shouldn't matter.

        Correct me if I am wrong. This is my understanding of the principle.

        • by Qzukk ( 229616 )

          As I understand it, the cable would become an antenna for whatever's going on in the cage.

          • from wikipedia:

            ""Examples

            A microwave oven utilises a Faraday cage, which can be partly seen covering the transparent window, to contain the electromagnetic energy within the oven and to shield the exterior from radiation.

            Elevators and other rooms with metallic conducting frames simulate a Faraday cage effect, leading to a loss of signal and "dead zones" for users of cellular phones, radios, and other electronic devices that require external electroma

  • Faraday's cages for CPUs not as crazy as driving a panel truck wired up with all the gizmos from AWACS and park it across the Russian embassy and trying to detect the EM radiation from the CRT terminals.

    BTW FCC radiation limits prevent CPU from emitting too much radiation.

    • I'm going to have to assume that the computers logged were using FCC-compliant CPUs, seeing as nothing was said about using special noisy CPUs.

      For keyloggers, obviously shielded keyboard electronics and cables helps. Once it gets into the CPU, a lot of other noisy things are also happening. Although strewing a couple of modules around the site that do nothing much more than emit random character codes in the same RF format would be worth considering.

  • As others have already noted, this is an old, old tactic. I'm a bit surprised that you can correlate enough of the broadband scream produced by a modern laptop to tease out keystrokes reliably, but not that suprised.

    It's only "crazy" if you're spending disproportionate time, effort and money to conceal your boring, inconsequential data. And in these days of big-data sieves and ubiquitous surveillance, "boring" and "inconsequential" aren't what they used to be.

    • by mlts ( 1038732 )

      I would guess it would be cheaper in most cases for an attacker to black-bag the hardware (evil maid attack), or just use xkcd.com/538 and a wrench.

      TEMPEST attacks are very low on my worry list. If I were running an organization that dealt with that sensitive a data, it would be well tucked away in a building designed from the ground up to keep cameras and detectors quite a ways from the juicy stuff. However, before I even bothered with that, I'd be working on physical security, network security, various

  • by ramriot ( 1354111 ) on Thursday January 29, 2015 @09:43AM (#48931295)

    Firstly this is old news,
    Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise. So its a nice idea that if you have access to put software on the PC you can later get it to emit information, but it you are going to do that then why not use what else is there because how often is all the targets other wireless interfaces fully disabled. I suspect unless your name is Snowden, not very often. Further, if you are that worried about leaking information that you go fully air gapped you would not be trusting a malleable OS to run from, much better to run from a live CD.

    • Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise.

      At that point it's no longer 'bridging the air-gap' (which typically means exploiting across the air gap), it's communicating between two friendly entities through the air.
      Which we've been doing for literally hundreds of millions of years.

  • Back in the late 70's to mid 80's, this was a common enough technique that the US developed a secret system known as Tempest Shielding. In simple terms it was an active radio/electronic field around a sensitive device that was designed to block such electronic snooping. Georgia Tech has successfully recreated a technique used long before any of the researches existed.
  • There was a reason DoD was concerned about this sort of monitoring many decades ago. Electronics were shielded to prevent EM tradition form being used to deduce what was being done.
  • There used to be an option in BIOS'es (may still be there, don't know) to enable spread spectrum clocking. This basically caused the system to slightly vary (spread out) various clocking signals in order to lower emissions at a particular frequency in order to pass FCC inspections.

    This thing requires malware to be installed anyway, at that point it's trivial to do anything. You could send things through any port which many computers have webcam lights, backlights and status indicators that can be controlled

  • Geez, 30 years ago we were given a demonstration of snooping on non-Tempest equipment, with a van parked outside of our offices, showing keystrokes and fuzzy images of our monitors.

    When I went to work at the RASC at Camp Kinser, just north of Naha (The mainframes were all housed in a building on the south side of the base, closest to the piers), there was always one or two Soviet "Fishing" vessels docked, with all sorts of crazy antennas (directional ones pointed at Camp Kinser), satellite dishes and such.

    T

  • Years ago it was shown that electronic noise emitted by keyboards and mice could be easily retrieved with some cheap off the shelf hardware even from across a street. That is the reason why many government agencies are dusting off the mechanical typewriters.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...