Wed, 18 May 2005
Today, I got into a talk with a co-worker about the possibilities left open to people to snoop data from your system in all manners possible. It started when he discovered the Microsoft USB-keyboards with fingerprint-readers on some of the desks at our/my part of the office.
Basically, we discussed a few 'physical domain' attacks that you could try and do against these types of devices (gelatin-fingerprint molds, etc), and we progressed from there, discussing the fact that a lot of these fingerprint-readers seem to send a tiff-like image to the host-machine with a raw fingerprint in it. The possibility of using replay attacks agains these things looks interesting; imagine one of these gumstix devices used as a 'USB-device' and 'USB-host' at the same time; not much bigger than a stick of gum, you could stick it underneath a desk and have it send out all it logs through bluetooth or even WiFi.
From there, I remembered about some papers I have stumbled into over the last few years and discussed some of the possibilities of Tempest/Van Eck-type devices with these co-workers. Afterwards, I decided to back my assertions/suspicions up with literature-study, of which I provide a neat overview below, for your convenience.
First off, the Van Eck device. A device which uses the electromagnetic noise produced by a typical CRT-display and pushes it through a fully analog 'synch-lock' circuit that will allow you to produce a luminosity-map (grey-tone display) of whatever the 'monitored device' is showing at that moment. Wim van Eck's paper about this method was published way back in 1985 already and is still a workable method for spying on CRT-style devices in the wild; as long as no electromagnetic shielding is in place. Chances are, there isnt.
Secondly, I remembered a paper that discussed the feasibility of using the visual domain (light) for information-interception. One of the most well-known uses of this method is where one is able to 'log' the data travelling across a modem just by 'looking at the leds'. In most modems, the RX/TX (recieve/send) leds are directly coupled to the serial data-pins of the UART/modem in question; blinking exactly in time with the signals that go across the (RS-232)-cable that the modem is connected to. With modem-speeds not reaching above 64kbit, mostly, perhaps 128kbit when we're talking about ISDN2. As such, it turns out that the after-glow of most leds in production seems to be short enough to pose any real 'protection' against just using a well-aimed lense-system+photo-diode (and amp) on a modem-led and coupling it to a serial port. Allright, perhaps put a bit simply, but the principle should work.
Even more fun is the fact that what works for modems and light seems to work (with a bit more complexity, granted) for CRT-style displays and the light that is projected from them onto walls, curtains , etc. Back into the digital domain, it turns out that even for laptop-screens (which do not have a linear screen-buildup) it is possible to re-construct, with some accuracy, what is being displayed on those devices. You can find three papers about this on http://www.cl.cam.ac.uk/~mgk25/ which is the webpage of a very clever guy; Mark Kuhn.
Three papers from his page are mirrored here, unchanged:
His PhD thesis, about "Compromising emanations: eavesdropping risks of computer displays", in the optical and electro-magnetic domains.
A summary about the method of using optical snooping, which is eleborated upon in his thesis paper.
Another summary that discusses the possibility of snooping flat-panel displays in the electromagnetic-domain, also eleborated upon in his thesis.
Also of interest might be the Keyboard Acoustic Emanations paper from two people at IBM, Dmitri Asonov and Rakesh Agrawal. The paper is mirrored locally here and it discusses the possibility of using the acoustic emanations (tap/clicking-sounds) of keyboards to figure out which keys have been pressed. It turns out that using one particular keyboard, it's quite foolproof in figuring out which key has been pressed. Even between two keyboards of the same model it turns out to be feasible to use this method to limit the set of possible keys being pressed to a number where brute-forcing a (say) password becomes a lot more interesting proposition. Oh, and ofcourse, sound DOES travel across phonelines....
Just because you're paranoid, it doesnt mean they're not after you
--
Black-helicopter-man