Keyboard radio
Such malicious hackers, as you, of course, more than once communicated with software keyloggers. I launched this program once with the enemy - and it’s done: all the passwords and typed text can be considered as you have. However, this approach has a drawback: you need to somehow run the software on someone else's computer, which is not always possible. Therefore, we decided to make an elementary device, with the help of which you can easily log all the typed text, just coming closer to the enemy's computer.
>> The essence and methods of the idea
Briefly explain what will be discussed. All current-consuming devices, whether TV, mouse, keyboard, hard drive or cooler, create an electromagnetic field in the surrounding space during operation. Its occurrence, as is known from the course of physics, is directly related to the current of different voltage, passing through the wires and channels of printed circuit boards. The magnitude of these electromagnetic waves can be measured with special devices. The field often interferes with the operation of radios, televisions and other equipment. You, probably, noticed that the FM radio set placed near the TV starts to receive channels worse, the signal in the literal sense of the word is “hammered” by extraneous radiation. This fact gave me a good idea: if the TV is littered with a signal that “listens” to the radio, then it would be nice to check how the keyboard does it. After all, interference, that is, electromagnetic pulses generated by it, belong, according to reference books, to the range from 10 Hz to 1000 MHz, and this range is the main channel of information leakage from modern PCs. For work, I armed myself with the following tools:
1. Computer with sound card
2. Cheap Chinese radio Fusun
3. Connection cord for connecting the FM receiver to the line input
sound card.
As for the receiver, it can be any (better - with manual frequency tuning, since searching for the necessary interference - fine work), the main thing is not to use the internal FM tuner, since the electromagnetic pickup inside the case will negate all attempts to get at least some is the result. Cord - standard, you can solder most of the scraps left over from old broken headphones or microphones. At first, it is better to connect headphones to the sound card output and carry out all the operations in them - so all the nuances of noise will be better heard. With the help of “sndvol32.exe”, adjust the volume of the recorded signal to a minimum, after selecting the line input as the recording source, otherwise you risk deafening when you hear the wild noise produced by the radio receiver. Connect the receiver to the line input and turn on its power. It is possible that instead of the noise we need, you will hear music that is played on some FM station. In this case, turn the frequency adjustment wheel slightly until you hear “white noise”, as physicists like to say. Next, your actions should look like this: hold down any key on the keyboard and start very carefully adjusting the frequency until you hear a characteristic crack with a frequency of about 200 “splits” per minute (or 3 per second). If you let go of the keyboard button, the crash should stop. This is a sure sign that you have found the desired frequency. In some cases, the desired signal may look like a continuous, rather low humming, mixed with noise, changing its tone when you press the buttons of the keyboard. If the result does not come, then you are probably holding the receiver too close to the monitor. The CRT monitor gives especially strong hindrances. If you can not find the desired frequency - adjust the length of the external antenna of the radio.
')
>> Analyzing data
Suppose you found a frequency at which the interference caused by the keyboard is audible especially well. In that case, you did most of the work. It only remains to record the interference from the various keystrokes, using any advanced wave editor, such as the Nero Wave Editor, and analyze them. The differences in the wave structure of the sound form of the noises created by the keyboard will help us to discern the scan codes of the pressed keys in the confusion of white noise :). Open the sound editor and start recording the signal fed from the line input, typing a simple word on the keyboard, consisting of 4-5 characters. In order to later see in the graphic image of the sound wave the places where the usual noise is mixed with interference - the “crackle” of the keyboard, it’s better to hold each key longer for at least 0.5 seconds while recording the signal. Of course, in a real situation, when you scan someone else's keyboard, no one will have to press the buttons especially for you for a long time, but our task now is to figure out the method so that you can perform more complex scans.
When writing down your message, carefully look at the graphic image of the sound wave. There are areas of relative calm in it — during these intervals, none of the keyboard keys was pressed. There are areas which consist of continuous “bursts”. At the hearing, they are perceived as clicks. These are the intervals when any key was pressed. At this time, the electrical circuit was closed, and electromagnetic interference was regularly generated with a certain frequency. Highlight a small piece of the diagram containing keyboard interference, and scale it to such a size that every nuance can be clearly traced, every single oscillation of the sound wave (in my case, the scale was equal to 700%). In “NeroWaveEditor” -e, scaling is performed by twisting the mouse wheel (scaling is a very useful tool, with its help you will always distinguish ordinary noise from the fragments we need containing valuable information). Now pay attention to the fact that the sound wave has some fragments (I would call them keys), which are repeated constantly, and with a certain periodicity (see screenshots). These repeating fragments give our seemingly random sound wave the nature of a periodic function. I counted 2 key fragments for each key. The most interesting thing is that for each button of the keyboard there are separate fragments-keys. “But, after all, we can only recognize such sequences for our keyboard!” You exclaim in indignation. No problem! If there is a sufficiently large amount of recorded “keyboard interference”, you can perform frequency analysis (you can read about it in any book on cryptography). It is based on the fact that each letter of the alphabet, as well as a punctuation mark, occurs in the text with a certain probability, for example, in Russian the letter “o” is found much more often than the letter “u”. For frequency analysis, you will need to create an array containing all types of interference. Next, you need to write a program - a sound file analyzer that compares the noise contained in it with the interference from the array. The program should write conditional names to a file (for example, “pomexa1, pomexa5, ...”). This file will be the material for frequency analysis.
Pay attention to my screenshot, which considers the wave structure for the letter “a”, and compare it with the corresponding structure for the letter “h”. The letter “a” can be immediately visually distinguished from the others by a characteristic w-shaped fragment-burst. By acting in this way, you will soon learn to accurately determine which symbol lies behind a given sequence of bursts.
>> Anti-noise
Here will be brief recommendations for those experimenters who do not wish to be deaf even in their youth :). I assure readers that all filter presets, embedded even in the most well-known audio editors (such as Noice Reduction), will not help us eliminate interference and leave the desired signal. It is simply removed when filtering along with the “garbage”, because the filter analyzers perceive the necessary bursts of signals as “clicks,” that is, as audio recording defects. To make the right filter, you have to work your head. Through a long analysis, I found out that at the sound frequencies above 3700 Hz there is basically only whistling noise. The menu item NeroWaveEditor “Enhancement-> Filter Toolbox” helped me figure this out (I selected a sound sample containing a useful signal, started the above-mentioned tool and, by selecting the “Band Pass Filter” checkbox, I chose the following options: “lower” = 3700 Hz, "Upper" = 22050 Hz. The useful signal almost ceased to be heard, therefore, all the sound information lying from the value "lower" to "upper" is garbage, and the rest is useful signal). So, select the entire record and apply the above filter with the parameters “lower” = 0 and “upper” = 3700. When performing this operation, of course, some of the high-frequency information is lost. It is possible to avoid such losses by adjusting the equalizer (“Tools-> Equalizer”), but it will take a little more time. Experiment with filters - and you will achieve the desired result.
>> Reasons to use this method
The advantage of the method lies primarily in its relative simplicity and accessibility to anyone. For mobile interception, i.e. tracking for any purpose you are interested in on foreign territory, a laptop with a small “appendage” - an external radio receiver can be used. In order to ensure a good result, the latter is better screened or taken away from the laptop, otherwise you can take the radiation from your laptop as signals from the keyboard target. Another safer solution is to record the radio signal of the desired frequency on the recorder and its subsequent removal.
Other methods of extracting valuable information from the electromagnetic interference generated by the keyboard that I have encountered require, at a minimum, a spectrum analyzer, an oscilloscope, a frequency meter, a multimeter, and the like, which is hardly suitable even for a very wealthy citizen. Plus, by browsing the Internet, you will always easily find radio transmitter circuits that, if you know how to use a soldering iron, will help you in remote data transmission, which will make your life much safer and almost guaranteed to save you from prison jail. In this case, to ensure your safety, you need to install a powerful antenna and position the signal receiver as far as possible. I advise you to look at the site www.radist.izmuroma.ru .
Another, quite good and, in my opinion, more convenient method of scanning (if only because of the fine tuning capabilities and greater range) is the use of shortwave transceivers. Alas, but they are relatively expensive (unpretentious samples - from 200-300 dollars). But if you are an interested person, then the transceiver will be a real treasure for you. With it, you can not only intercept EM radiation, but also listen to secret transmissions - the Morse code, and do many other useful and interesting things. But that's another story. An interesting fact: the Belarusian radio telephone "Altai" (I don’t know if it is being released now), being, in fact, a simple transceiver, it has quite good capabilities for radio interception.
Attention! If you are going to intercept information by the method described in this article in large volumes, you just need a good sound card, the level of intrinsic noise of which is insignificant. Otherwise, an overwork headache cannot be avoided. Therefore, be sure to check if your sound card is suitable for such activities on an “industrial” scale using the RightMark Audio Analyzer utility (http://audio.rightmark.org/rus).
>> ... And finally
If you are doing important work on your computer that requires secrecy, or you are servicing a server, you just need to have reliable means to protect against information leakage through electromagnetic radiation. And these tools are very diverse: filtering, instrument grounding, shielding, electromagnetic noise and so on. These funds will be justified, because there are ways to remove the signal, even from the monitor of the victim computer, that is, the possibility of obtaining a reliable picture of the user at the computer. The best way to learn all about imminent danger is to understand the principle of attack realization and try it out in practice. Good luck!
- This article is written as a supplement to the Wireless Keyboard vulnerability news published by Tylerskald
I express also many thanks to Leonid Isupov aka Cr @ wler for the article he wrote and thanks to the editorial board] [aker for the excellent material in his journals.
>> The essence and methods of the idea
Briefly explain what will be discussed. All current-consuming devices, whether TV, mouse, keyboard, hard drive or cooler, create an electromagnetic field in the surrounding space during operation. Its occurrence, as is known from the course of physics, is directly related to the current of different voltage, passing through the wires and channels of printed circuit boards. The magnitude of these electromagnetic waves can be measured with special devices. The field often interferes with the operation of radios, televisions and other equipment. You, probably, noticed that the FM radio set placed near the TV starts to receive channels worse, the signal in the literal sense of the word is “hammered” by extraneous radiation. This fact gave me a good idea: if the TV is littered with a signal that “listens” to the radio, then it would be nice to check how the keyboard does it. After all, interference, that is, electromagnetic pulses generated by it, belong, according to reference books, to the range from 10 Hz to 1000 MHz, and this range is the main channel of information leakage from modern PCs. For work, I armed myself with the following tools:
1. Computer with sound card
2. Cheap Chinese radio Fusun
3. Connection cord for connecting the FM receiver to the line input
sound card.
As for the receiver, it can be any (better - with manual frequency tuning, since searching for the necessary interference - fine work), the main thing is not to use the internal FM tuner, since the electromagnetic pickup inside the case will negate all attempts to get at least some is the result. Cord - standard, you can solder most of the scraps left over from old broken headphones or microphones. At first, it is better to connect headphones to the sound card output and carry out all the operations in them - so all the nuances of noise will be better heard. With the help of “sndvol32.exe”, adjust the volume of the recorded signal to a minimum, after selecting the line input as the recording source, otherwise you risk deafening when you hear the wild noise produced by the radio receiver. Connect the receiver to the line input and turn on its power. It is possible that instead of the noise we need, you will hear music that is played on some FM station. In this case, turn the frequency adjustment wheel slightly until you hear “white noise”, as physicists like to say. Next, your actions should look like this: hold down any key on the keyboard and start very carefully adjusting the frequency until you hear a characteristic crack with a frequency of about 200 “splits” per minute (or 3 per second). If you let go of the keyboard button, the crash should stop. This is a sure sign that you have found the desired frequency. In some cases, the desired signal may look like a continuous, rather low humming, mixed with noise, changing its tone when you press the buttons of the keyboard. If the result does not come, then you are probably holding the receiver too close to the monitor. The CRT monitor gives especially strong hindrances. If you can not find the desired frequency - adjust the length of the external antenna of the radio.
')
>> Analyzing data
Suppose you found a frequency at which the interference caused by the keyboard is audible especially well. In that case, you did most of the work. It only remains to record the interference from the various keystrokes, using any advanced wave editor, such as the Nero Wave Editor, and analyze them. The differences in the wave structure of the sound form of the noises created by the keyboard will help us to discern the scan codes of the pressed keys in the confusion of white noise :). Open the sound editor and start recording the signal fed from the line input, typing a simple word on the keyboard, consisting of 4-5 characters. In order to later see in the graphic image of the sound wave the places where the usual noise is mixed with interference - the “crackle” of the keyboard, it’s better to hold each key longer for at least 0.5 seconds while recording the signal. Of course, in a real situation, when you scan someone else's keyboard, no one will have to press the buttons especially for you for a long time, but our task now is to figure out the method so that you can perform more complex scans.
When writing down your message, carefully look at the graphic image of the sound wave. There are areas of relative calm in it — during these intervals, none of the keyboard keys was pressed. There are areas which consist of continuous “bursts”. At the hearing, they are perceived as clicks. These are the intervals when any key was pressed. At this time, the electrical circuit was closed, and electromagnetic interference was regularly generated with a certain frequency. Highlight a small piece of the diagram containing keyboard interference, and scale it to such a size that every nuance can be clearly traced, every single oscillation of the sound wave (in my case, the scale was equal to 700%). In “NeroWaveEditor” -e, scaling is performed by twisting the mouse wheel (scaling is a very useful tool, with its help you will always distinguish ordinary noise from the fragments we need containing valuable information). Now pay attention to the fact that the sound wave has some fragments (I would call them keys), which are repeated constantly, and with a certain periodicity (see screenshots). These repeating fragments give our seemingly random sound wave the nature of a periodic function. I counted 2 key fragments for each key. The most interesting thing is that for each button of the keyboard there are separate fragments-keys. “But, after all, we can only recognize such sequences for our keyboard!” You exclaim in indignation. No problem! If there is a sufficiently large amount of recorded “keyboard interference”, you can perform frequency analysis (you can read about it in any book on cryptography). It is based on the fact that each letter of the alphabet, as well as a punctuation mark, occurs in the text with a certain probability, for example, in Russian the letter “o” is found much more often than the letter “u”. For frequency analysis, you will need to create an array containing all types of interference. Next, you need to write a program - a sound file analyzer that compares the noise contained in it with the interference from the array. The program should write conditional names to a file (for example, “pomexa1, pomexa5, ...”). This file will be the material for frequency analysis.
Pay attention to my screenshot, which considers the wave structure for the letter “a”, and compare it with the corresponding structure for the letter “h”. The letter “a” can be immediately visually distinguished from the others by a characteristic w-shaped fragment-burst. By acting in this way, you will soon learn to accurately determine which symbol lies behind a given sequence of bursts.
>> Anti-noise
Here will be brief recommendations for those experimenters who do not wish to be deaf even in their youth :). I assure readers that all filter presets, embedded even in the most well-known audio editors (such as Noice Reduction), will not help us eliminate interference and leave the desired signal. It is simply removed when filtering along with the “garbage”, because the filter analyzers perceive the necessary bursts of signals as “clicks,” that is, as audio recording defects. To make the right filter, you have to work your head. Through a long analysis, I found out that at the sound frequencies above 3700 Hz there is basically only whistling noise. The menu item NeroWaveEditor “Enhancement-> Filter Toolbox” helped me figure this out (I selected a sound sample containing a useful signal, started the above-mentioned tool and, by selecting the “Band Pass Filter” checkbox, I chose the following options: “lower” = 3700 Hz, "Upper" = 22050 Hz. The useful signal almost ceased to be heard, therefore, all the sound information lying from the value "lower" to "upper" is garbage, and the rest is useful signal). So, select the entire record and apply the above filter with the parameters “lower” = 0 and “upper” = 3700. When performing this operation, of course, some of the high-frequency information is lost. It is possible to avoid such losses by adjusting the equalizer (“Tools-> Equalizer”), but it will take a little more time. Experiment with filters - and you will achieve the desired result.
>> Reasons to use this method
The advantage of the method lies primarily in its relative simplicity and accessibility to anyone. For mobile interception, i.e. tracking for any purpose you are interested in on foreign territory, a laptop with a small “appendage” - an external radio receiver can be used. In order to ensure a good result, the latter is better screened or taken away from the laptop, otherwise you can take the radiation from your laptop as signals from the keyboard target. Another safer solution is to record the radio signal of the desired frequency on the recorder and its subsequent removal.
Other methods of extracting valuable information from the electromagnetic interference generated by the keyboard that I have encountered require, at a minimum, a spectrum analyzer, an oscilloscope, a frequency meter, a multimeter, and the like, which is hardly suitable even for a very wealthy citizen. Plus, by browsing the Internet, you will always easily find radio transmitter circuits that, if you know how to use a soldering iron, will help you in remote data transmission, which will make your life much safer and almost guaranteed to save you from prison jail. In this case, to ensure your safety, you need to install a powerful antenna and position the signal receiver as far as possible. I advise you to look at the site www.radist.izmuroma.ru .
Another, quite good and, in my opinion, more convenient method of scanning (if only because of the fine tuning capabilities and greater range) is the use of shortwave transceivers. Alas, but they are relatively expensive (unpretentious samples - from 200-300 dollars). But if you are an interested person, then the transceiver will be a real treasure for you. With it, you can not only intercept EM radiation, but also listen to secret transmissions - the Morse code, and do many other useful and interesting things. But that's another story. An interesting fact: the Belarusian radio telephone "Altai" (I don’t know if it is being released now), being, in fact, a simple transceiver, it has quite good capabilities for radio interception.
Attention! If you are going to intercept information by the method described in this article in large volumes, you just need a good sound card, the level of intrinsic noise of which is insignificant. Otherwise, an overwork headache cannot be avoided. Therefore, be sure to check if your sound card is suitable for such activities on an “industrial” scale using the RightMark Audio Analyzer utility (http://audio.rightmark.org/rus).
>> ... And finally
If you are doing important work on your computer that requires secrecy, or you are servicing a server, you just need to have reliable means to protect against information leakage through electromagnetic radiation. And these tools are very diverse: filtering, instrument grounding, shielding, electromagnetic noise and so on. These funds will be justified, because there are ways to remove the signal, even from the monitor of the victim computer, that is, the possibility of obtaining a reliable picture of the user at the computer. The best way to learn all about imminent danger is to understand the principle of attack realization and try it out in practice. Good luck!
- This article is written as a supplement to the Wireless Keyboard vulnerability news published by Tylerskald
I express also many thanks to Leonid Isupov aka Cr @ wler for the article he wrote and thanks to the editorial board] [aker for the excellent material in his journals.
Source: https://habr.com/ru/post/17139/
All Articles