Compromising Electromagnetic Emanations of Wired and Wireless Keyboards Written By Martin Vuagnoux and Sylvain Pasini Presented By Justin Rilling Outline Introduction Paper Contributions Experimental Setup Description of Attacks Results Countermeasures Comments Questions Introduction This paper evaluates four types of keyboards PS 2 USB laptop and wireless Defines four types of attacks All the keyboards tested where vulnerable to at least one type of attack One attack recovered 95 of keystrokes 20m from the keyboard through walls Tests electromagnetic vulnerability in different environmental scenarios Low noise office adjacent office and building Contribution Determined the practical feasibility of eavesdropping on keystrokes Used the Full Spectrum Acquisition Method to detect electromagnetic radiation that may be missed by traditional methods Experimental Setup Falling Edge Transition Technique FETT Start Bit Scan Code 0x24 E 000 1 00 1 00 1 1 Odd Parity Bit Stop Bit Falling Edge Transition Technique FETT Were able to detect the falling edges of the PS 2 data line On average can reduce the keystroke to 2 42 possible keys The Generalized Transition Technique GTT A band pass 105 165MHz filter is used to improve the SNR which allows the authors to extract the rising and falling edges of the data line 000 100 10011 Threshold Line The Modulation Technique MT They were also able to find frequency and amplitude modulated harmonics at 124MHz that correspond to the data and clock signals This attack is able to fully recover all keystrokes These types of electromagnetic waves are interesting because they carry further than those discussed in the previous two attacks The Matrix Scan Technique MST Driver Driver Driver q w e Detector a s d Detector z x c Detector The Matrix Scan Technique MST This attack worked on almost every keyboard On average could reduce the keystroke to 5 14 possible keys Accuracy GTT Able to recover all keystrokes correctly MT Able to recover all keystrokes correctly FETT Can reduce the keystroke to 2 42 possible keys on average MST Can reduce the keystroke to 5 14 possible keys on average Effectiveness on Various Types of Keyboards Range of Attack Low Noise Scenario Office Scenario Countermeasures Shield keyboard cable motherboard and room Encrypt bi directional PS 2 serial cable Obfuscate scan matrix loop routine Comments Very thorough testing Could improve the explanation of the building test scenario Would have been interesting if they tested the outlined countermeasures Questions