Tempest on keyboard entry
Posted on October 28, 2008
Recently, Martin Vuagnoux and Sylvain Pasini of EPFL in Lausanne, Switzerland published videos of remotely eavesdropping on keyboard entry [http://lasecwww.epfl.ch/keyboard/]. In this attack, they analyze electromagnetical (EM) emanations from a keyboard, and, using relatively inexpensive equipment, can fully recover the keys that have been pressed. This is the first public proof-of-concept of earlier suspicions that keyboards may leak so-called compromising emanations. If you type a secret, it could be revealed.
Similar attacks have been known publicly since 1985, when Van Eck published his remote TV cloning attack. In this attack, he is able to remotely clone the image on a TV using its EM emanations. Intelligence organizations such as the NSA were already secretly aware of these leakages and the possible attacks since at least the 1960s, when they were used to spy upon foreign powers. The codename TEMPEST refers to the NSA's studies on compromising emanations. These weaknesses have later been shown to also be present in more modern LCD monitors. If you read a secret, it could be revealed.
In the power analysis world, we use this technique on a daily basis when we perform simple or differential EM analysis (SEMA/DEMA). EM analysis is a response to early countermeasures implemented against power analysis (SPA/DPA), but is currently still an effective analysis channel. Although we analyze the near EM field, the principle is the same: any leakage through EM emanations is picked up by a probe, and is analyzed with specialized software to extract the secret information we are interested in. If you process a secret, it could be revealed.
Using EM emanations to extract information shows that attackers are inventive, and will seek out the weakest links in a system. Fortunately, there is an array of countermeasures. Just make sure that if you have a secret, you test whether it is actually revealed.