Doing the rounds again this week is the old news that the accelerometers in various devices, notably the iPhone, can be used to spy on a users input. In 2009 they were claiming 80% accuracy on iPhone 4.(1)
Tiny variations in the movement of the phone can be decoded to tell almost exactly where people are pressing on the screen, and though the OS won’t let other applications access the keyboard to see what the user is inputting into password boxes, access to the accelerometer is allowed so that things like the little program that tracks how many steps you’ve taken today can work nicely. Also, because it is a fairly novel attack, people are less likely to query why an App wants access to it, unlike, for instance, the GPS or microphone. Listening carefully to those tiny movements lets a program track the tilt of the device, and from this a password can be determined without reference to the actual keyboard input.
Thinking of listening carefully, it turns out that at least a few years ago someone worked out that you could do this with audio inputs too.(2) If you can determine which make and model of a keyboard is in use, then you can use a statistical analysis of the timings of key presses and the slight variations of the sounds of each keypress. This lets you work out a likely password. If it is a specific model of laptop, then it turned out to be quite trivial, as the variation between devices is very small, giving greater accuracy. The same would be true of a smartphone.
Another way your keyboard can be sniffed is by bouncing a laser off it. Other security researchers who followed the acoustic snooping further found that it was quite hard to do from a distance, so they turned to a laser microphone, giving them greater range. (3) Using an IR laser to bounce off a keyboard gave them useful results from outside hearing range.
Wireless keyboards have also been found to be wanting, security-wise. Every keypress is sent via a short range radio link to the receiver that turns it into a keypress for the PC to understand. The most common of these use no encryption what-so-ever, making recovery trivial. In fact, the only one that takes any precaution is the Microsoft Wireless Keyboards, which use nothing more secure than a simple XORing to (try to) prevent sniffing. (I haven’t looked at Bluetooth keyboards, but a swift search on DuckDuckGo turned up a paper from 2007 (4) showing an attack that broke the Bluetooth encryption in under 0.1 seconds for a 4 digit PIN, but didn’t get as far as decoding the messages – though that is a task likely made trivial, as you could just feed them into the same hardware on another computer and see what gets printed in Notepad!)
Keyboard logging via a USB hardware “bug” is near undetectable, being entirely hidden as it is from software, unless you take care to inspect your keyboard link, or use a PS/2 keyboard. However, a powerline sniffing trick can reveal the keypresses from these “old school” keyboards, and reveal exactly which keys are being pressed, after filtering out the noise. (5)
Talking of noise, an attack made public a few days ago reveals that researchers have figured out how to break even the strongest current encryption using only an audio recording of the target computer! (6) I used to have a PC that you could hear working hard. In case you were wondering, the acoustic signal is actually generated by the CPU’s voltage regulator, as it tries to maintain a constant voltage during wildly varied and bursty loads. It is the same as the previous attack, just, well, a slightly different channel.
There is also the rather old TEMPEST analysis. Listen to the radio signals given out by anything electronic, and see if you can determine the keypresses, or, indeed, see what is on the screen. This was discovered by the Soviets before 1954, and the USA in 1943 (7) and is still a valid technique, if somewhat harder now we don’t use CRT monitors and sparkgaps any more, which were very easy to pick up due to the scanning electron beam and high current pulses.
Of course, the most obvious way to capture a password remotely without software is to simply watch someone typing it – Google Chrome’s Incognito mode actually warns about people standing behind you. Less obvious is someone with a telephoto lens through the window, or someone using your own CCTV system to watch your keyboard via a hacked remote access pathway or other data breach, streaming video to them of what you thought was secret via the very system set to guard. Or a recovered file from your harddisk, which is where your DVR stores your IPcam stream.
All-in-one devices are great for many things, and recent revelations from Snowden regarding the NSA and GCHQ have revealed that they can take your password in many different ways, and this is yet another one that most people have never heard of, but that can compromise your security.
Of course, a completely standalone device can be trivially secretly marked so the keypresses leave evidence behind, revealing the code, or, if enough time has passed without cleaning, or indeed without a code change, the wear to the buttons or the dirt left behind can also reveal, if not the exact code, the numbers that make it up.
Finally, for now, the smudges and smears left behind on your smartphone screen are likely to reveal the unlock pattern or PIN characters – take a look right now, and tilt your device to see the marks left by your own fingers! To catch someone else out, just give their phone a wipe before they unlock it, and all will become, er, clear…
*For working out a password or other secret from hardware.
Interestingly, the paper I give as reference 5, the PDF from the NSA, lists two redacted chapters, one titled “Seismics” and the other titled “Flooding”. Flooding is most likely referring to the trick of masking the signal in the noise, by, as mentioned earlier in the PDF, running 10 or more machines together, to flood the receiver. “Seismics”, of course, may well refer to something akin to our modern day attack using movement detection. Though it wouldn’t have been a solid state gyro (they were unthinkable sci-fi 60 years ago) it is quite possible that the NSA came up with something that could detect the relatively crude movements of a key, perhaps by monitoring the movement of a desk as a weighty hand pushed hard on a mechanical typewriter, and from that allow the determination of a keystroke?
Know any more tricks? Add them in the comments!