4

Smart power meters are becoming quite prevalent. Question: Can a smart power meter (with patched firmware) read the keys pressed on a wired PS/2 or USB keyboard, connected to a desktop computer? What about a laptop (connected with RJ45 Ethernet, and/or AC adapter)?

This seems like an attractive attack vector for different attackers, especially if the smart power meters can have their firmware remotely updated.

I assume the smart power meter must have the ability to sample the voltage at a high enough frequency to be able to do this. I assume the hardware specifications would depend completely on the make and model of the smart meter, although perhaps it is entirely unreasonable due to cost to assume it has the ability to do this. However, the frequency at which a USB keyboard operates is to my understanding not very high.

How can it be mitigated?

Some papers describe attacks that allow a PS/2 and USB keyboard to be read by listening on the power plug. The basic principle, as I understand it, is that crosstalk between ground and the data wire(s) will propagate. From the data wire, to the ground wire, to the power supply, and finally onto the electrical grid. Despite significant noise from other devices, the signal can in some cases still be recovered, for PS/2.

Would a trivial mitigation for this simply be to use ungrounded power cables? Or could the same crosstalk still be measured between the live and neutral wire? I assume yes, but an explanation would be nice.

Here are a couple papers I found, if there are better ones that perhaps already answer my questions, please link them in.

http://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-PAPER.pdf

https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su

None of these two address my questions exactly, but are related.

The first paper states:

"It is believed that USB keyboards are not affected by this attack as they use differential signaling for cancelling the noise, though USB microcontrollers within the keyboard are much more noisy than PS/2 ones and there is a chance that some fortuitous emanations might be present."

The second paper is more concerned about USB hubs in particular. If it was trivial to extend this onto the electrical grid, I would have assumed it was included, but again an explanation would be nice.

AlphaCentauri
  • 205
  • 1
  • 4

1 Answers1

2

It is extremely unlikely that a smart meter would be able to read the keystrokes off a keyboard, even with custom firmware. Doing that requires three things which a smart meter lacks:

  • An extremely accurate power monitor with a high sample rate.

    Samples are typically taken every 30 minutes, but can be taken as fast as 6 times per second. This is not enough to monitor the rapid power use variations of a keyboard microcontroller.

  • A large and high-speed storage system to record raw samples for later processing.

    According to at least one standard for smart meters, they must be able to store 13 months-worth of data consumption information at 30 minute sample intervals. This is not very much.

  • A powerful processor (or FPGA) capable of filtering out the noise.

    A quick search for random technical specifications for a smart meter show one example running an ARM Cortex M4, with 256 KiB of system memory. This is not nearly sufficient.

Smart meters have several options for monitoring power: shunt resistors, Rogowski coils, Hall-effect sensors, and current transformers. As far as I am aware, none of these techniques have accuracy greater than +/- a few milliamps. Accuracy of Rogowski coils, for example, can be up to 0.5%, although manufacturing tolerances often result in it being as low as 5%. Monitoring an 8051 processor with a high-precision sensor connected directly to the microcontroller power source requires at least 12 bit sample size, with the sample rate being an integer multiplication of the clock source (millions of times per second at a minimum). Traditional power monitoring solutions cannot accomplish this.

There is been a paper from 2009 on this subject which focuses on both USB and PS/2 keyboards, and details a number of techniques to analyze the keystrokes. While the paper focuses on EMSEC (compromising electromagnetic emanations), the concepts involved should be fairly similar. A single recording had to be processed for two seconds by a powerful processor. A dedicated FPGA would be required to analyze the samples in real time, not a low-power ARM processor.

Now, there are privacy concerns with smart meters. At a high enough sampling rate, they can determine what channel is being viewed on a television, as the net power usage from the screen varies based on what is being displayed. I don't have a paper to link to, so this is just from memory. It may or may not apply to modern LCD displays where the power usage is roughly similar regardless of what is displayed. But are they able to perform efficient power analysis attacks against low-power microcontrollers in an entire home full of devices, using nothing more than a firmware update?

Virtually impossible.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Is the sampling rate/accuracy requirement also a problem for PS/2? According to the first paper I linked in, it is only 10 - 16.7 kHz for PS/2. – AlphaCentauri Feb 04 '18 at 09:57
  • I wonder if power meters hardware can be engineered in the way to make these attacks possible. If it will make a meter a bit more expensive, consumers may be forced to buy this kind of meter with a law requiring such a hardware in every smart meter (forbiding selling, buying and using meters without this kind of hardware) or with government's subsidies and taxes making snooping kind of meters and/or electricity prices for them cheaper than (for) the ones without it. If you don't see that this kind of approach is already used for other things you should just look around better. – KOLANICH Feb 04 '18 at 10:50
  • KOLANICH: That's exactly what is happening in some countries. Everyone is forced, by law, to buy new smart meters, with poor justification of getting "more fair prices". – AlphaCentauri Feb 04 '18 at 12:30
  • @AlphaCentauri PS/2 is not a polling interface, it is interrupt-based. That is, it sends nothing until a key is pressed, then the data is sent immediately and an interrupt fires. However to monitor the key presses, the keyboard microcontroller would have to be monitored, which is (or can be) the same for both PS/2 and USB keyboards. – forest Feb 05 '18 at 02:45
  • @KOLANICH Personally, I think it would be unlikely to work. Extremely high-end oscilloscopes and powerful processors are required to do power analysis attacks with a lot of noise. It would be cheaper to just put a powerful microphone in the machine and attempt to listen to keystrokes. I mean, maybe in the future, highly-accurate and cheap power monitors are invented, and a breakthrough allows low-cost FPGAs to filter out the noise in real-time, but even then I would tend to doubt it. There are far more profitable ways to spy on people than difficult power analysis attacks over a smart meter. – forest Feb 05 '18 at 02:47
  • @forest: Did you read the Blackhat paper? As far as I can tell, they didn't need to read the keyboard microcontroller at all. Having access to a wall socket 15 meters away and a separate "clean" ground, gave good results, even in a very noisy environment. – AlphaCentauri Feb 05 '18 at 10:56
  • I was talking about the 2009 paper I linked. My point was that USB vs PS/2 doesn't matter, because they both involve the same type of chip. – forest Feb 06 '18 at 02:05