If you’ve taken Learning Tree’s introduction to cybersecurity course, you may remember that it explains some ways attackers can see what a user types on a keyboard. Those are examples of “information leakage”. It also may be possible for an attacker to use an inexpensive USB radio dongle device or even-WiFi to capture and decode those keystrokes. This is in addition to the technique of sniffing the communication of wireless keyboards.
A few years ago, manufacturers began creating inexpensive (USD20 or so) USB radio receivers, primarily so users could watch over-the-air television broadcasts on their laptops. Radio enthusiasts soon discovered that the dongles as they are called could also be used to capture a wide range of radio signals.
Some hobbyists have used these to listen to amateur radio and commercial short-wave transmissions along with a whole host of other applications. Different products have additional features and may cost significantly more.
Tools such as GNU Radio can be used in conjunction with the dongle to create a spectrum analyzer – a device that receives signals on a wide range of radio frequencies and displays information about what is received. Another spectrum analyzer for the dongle is Spektrum.
Unless electronic devices are shielded to prevent it, they emit radio waves or electromagnetic emissions. Many of these signals can be detected by one of these dongles and shown with the spectrum analyzer.
Back in 2008 two Swiss students demonstrated the ability to sniff data from keyboards and identify the keystrokes! Using a dongle was discussed in 2013. The basic technique was demonstrated in 2015. The components are only getting better and less expensive. It is likely that new versions of the attack with high accuracy and allowing capture over longer distances are on the way in the near future.
A group of researchers from Michigan State University discovered a way to use a WiFi router and a WiFi receiver to detect and decode keystrokes.
Rather than looking at signals emitted by the keys, their approach looks at the movement of the typist’s fingers. No, it doesn’t use a camera. Instead, it uses the WiFi as a sort of radar detecting the finger movements by detecting the changes in the WiFi signals.
They used a WiFi router and a receiver. The router was continuously transmitting and the receiver continuously receiving. As the fingers moved about the keyboard, the WiFi signal was disrupted. They cleverly figured out how to detect which keypresses match which signal distortions.
These attacks are not likely to be widely deployed any time soon. They would be difficult to thwart, however, without significant expense. To thwart the first attack, you could use a shielded keyboard at ten times the cost or more of a conventional keyboard. Or you could try to jam the signals or shield the rooms where the keyboards were used. None of these are feasible for all but the most secure sites.
To thwart the WiFi attack you would probably have to put the keyboards and users in a screened room (such a SCIF) to prevent the constant signals from reaching the typists. Again, not practical for most organizations.
If these attacks become more mainstream, hopefully manufacturers will come up with less expensive solutions.