Researchers hack wired keyboards
One of the biggest threats to personal data and online security could be the ubiquitous wired computer keyboard, Swiss research has revealed.
Scientists from the Federal Institute of Technology in Lausanne (EPFL) have discovered that it is possible to remotely reproduce the keystrokes typed on a wired computer keyboard from as far as 20 metres away.
Doctoral students Martin Vaugnoux and Sylvain Pasini from the EPFL’s Security and Cryptography Laboratory demonstrated that the electromagnetic waves emitted every time you strike a key can be detected by a nearby antenna and interpreted by computer software to work out exactly what was typed.
The security researchers tested four hacking methods on 11 keyboards of different makes and models bought over the past eight years. The attacks they developed also worked with keyboards embedded in laptops.
They found that every keyboard tested was vulnerable to at least one of the four surveillance attacks.
In a web posting they concluded that “wired computer keyboards sold in the stores generate compromising emanations” and keyboards were therefore “not safe to transmit sensitive information”.
“Computer security is a pluri-disciplinary question. Keyboards are the first element in the chain and have been neglected in the past,” Vaugnoux told swissinfo.
Cost pressures
The researchers’ system can eavesdrop on someone typing up to 20 metres away, even if they are in the next room. That makes it possible to recover online bank details or PINs used at cash point machines, they claim.
In a video on the EPFL website showing their work, the researchers are seen testing keyboards to access keystrokes using just computers, antennae and specialised software.
“Our attacks can no doubt be significantly improved, since we used relatively inexpensive equipment,” they said.
The EPFL researchers believe keyboards endanger security largely because of “cost pressures in design”.
“We know how to protect keyboards against hacking. The solution is to house the keyboard in a Faraday cage [an earthed metal enclosure to exclude electrostatic influences], but this is very expensive, so companies don’t do it,” said Vaugnoux.
Keyboards certified to the US National Security Agency’s (NSA) TEMPEST standard, for example, cost hundreds of dollars, he added.
Keyboard manufacturer Logitech, which has close working ties with the EPFL and has an incubator on campus, rejected the idea that its equipment was unsafe to transmit sensitive information.
“We are very confident that our corded and cordless keyboards are fully secure,” Logitech spokesman Ben Starkie told swissinfo, while admitting that he was unsure whether the firm’s keyboards had been tested by the team.
Phreaking out
The EPFL researchers are currently awaiting the conclusions of a peer group review on their article on the technique and hope it will soon be published at an upcoming conference.
The team’s method is similar to a technique know as Van Eck phreaking developed by Dutch researcher Wim van Eck in 1985 to spy on computer monitors from a distance. The team’s research also builds on earlier work by Cambridge University computer security researcher Markus Kuhn, who looked at ways of using electromagnetic emanations to eavesdrop and hack information.
Using a radio antenna and radio receiver, in 2007 Kuhn managed to grab the image from a computer monitor through two intermediate offices and three walls.
Vaugnoux said it was difficult to say whether such hacking techniques were currently in use, but added that their research confirmed what had been widely discussed since the 1980s.
“People have written to me telling me that it’s possible and they’ve seen FBI training sessions where it’s done,” he said.
The government’s cyber crime unit, Melani, said it was not aware of any previous cases of emanation monitoring in Switzerland but said it could not exclude the possibility in the future.
swissinfo, Simon Bradley
Phishing: Fraudsters phish in order to gain confidential data from unsuspecting internet users. An example is account information from online auctioneers or access data for internet banking.
Malware: Comes from the words “malicious” and “software”. This is a generic term for software that carries out harmful functions on a computer, such as viruses, worms or Trojan horses.
The term TEMPEST was coined in the late 1960s and early 1970s as a codename for the NSA operation to secure electronic communications equipment from potential eavesdroppers and vice versa the ability to intercept and interpret those signals from other sources.
The government has set up a special unit within the Federal Police Office to coordinate the fight against cyber crime.
In response to a government decision in 2003, the finance ministry, alongside the Federal Police Office and the Swiss Education & Research Network, launched a reporting and analysis centre for information security.
A new law came into force in April banning spam.
Always keep anti-virus software updated.
Keep your operating system on the latest level of patching.
Use firewalls. Back up your data.
Keep a close eye on emails. If you don’t know where one has come from and it has an attachment which you are not sure about, delete it.
Caution on using links in emails. They may lead to websites that have been set up to cause you damage.
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here. Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.