18

Reading a couple questions and answers here recently got me to thinking.

Wireless keyboards run the inherent risk of exposing their data due to the relatively broad transmission range, and the ease with which highly sensitive receivers (remember, making an RF signal audible is more the job of the receiver than the sender) can be built.

Recent studies have also shown that even wired keyboards can be exploited via the RF emanated along their cable.

Even beyond RF sniffing, there's always the risk that some "cleaning lady" might throw on a hardware keylogger between the keyboard cable and the PC.

Are there any keyboards that are secured (via encryption, shielding, and/or other means) against monitoring via electronic signal leakage or interception?


EDIT: I suppose I should be clear, in that I'm only looking to see if there are keyboards designed to prevent interception or monitoring of their electronic signals. Please do not address any other attack vectors in answering this question, except perhaps as a sidenote. I am aware that these attacks still exist, but the measures available to defend against them are beyond the scope of this query.

forest
  • 64,616
  • 20
  • 206
  • 257
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • If you don't want people to talk about physical attacks like keyloggers, I'd suggest editing that out of your question. It's confusing to bring it up then say elsewhere that you don't want to include it. So are you basically just looking for systems immune from passive radio monitoring? How about optical or sonic? – nealmcb Mar 09 '11 at 21:27
  • @nealmcb - Most physical keyloggers generally comes in one of two forms, one of which is outside the scope of my query. The first is one which *intercepts or monitors* a signal from an *existing* keyboard. This type is included in my question. The second type is built-in to a *replacement* keyboard that is swapped out for the victim's. Since my question is about specialized hardware that could be purchased to defend against an attack, this type of keylogger would be out of scope. – Iszi Mar 09 '11 at 23:01
  • @nealmcb - Also, since this question is expressly targeted at monitoring of *electronic signals*, optical or acoustic loggers are out of scope. – Iszi Mar 09 '11 at 23:02
  • It remains hard to figure out what sort of realistic threat model you're talking about (see the faq). In a comment on one of the answers you say you're not worried about attacks on a virtual keyboard by eavesdropping on the electronic signals coming out of the display. What assets are you trying to protect from what kind of threats? – nealmcb Mar 10 '11 at 15:27
  • @nealmcb - This question is meant to address the *electronic transmissions* from the *keyboard* to the *computer*. I suppose in the case of a virtual keyboard, as @mrnap describes, those transmissions could be construed to include the monitor's emanations also, but that is a characteristic unique to that particular subset. With hardware-based keyboards, you would not be able to read a password off the monitor because (in most cases) the passwords are masked on the display. – Iszi Mar 10 '11 at 15:38
  • It depends on the virtual keyboard. Having some sort of feedback to the user for key entry is generally important for accuracy- e.g. highlighting the keypress itself or showing the characters, as an alternative to tactile feedback on a physical keyboard. On Android virtual keyboards I've seen, when entering a password, each character is momentarily shown on the display before being replaced by an asterisk. – nealmcb Mar 10 '11 at 16:09
  • @nealmcb - I wouldn't say it's *completely* dependent on the virtual keyboard. Anyone who can read screen output can make a fairly accurate educated guess regarding key presses on an on-screen keyboard, based on the movement patterns and pauses of the mouse cursor. A touch-screen keyboard without user feedback may mitigate this, but then you're back to securing the transmissions to the computer again. – Iszi Mar 10 '11 at 16:19
  • @nealmcb - I think at this point we *really* should take this into chat. The comment threads are starting to get long here. – Iszi Mar 10 '11 at 16:20
  • Keyboards certified for USA NSTISSAM and NATO SDIP-27 (EMSEC standards) absolutely exist. – forest Jul 30 '18 at 03:09

6 Answers6

9

I wouldn't be surprised if there is hardware out there that can solve the problems you listed, but I would hazard a guess that they are very domain/environment-specific.

Then again, when you think about each problem seperately...

Actually, that last one solves all (most?) of the problems.

Seperating each problem into seperate solutions in this case (IMO) is sort of like remedying the symptoms of a disease, instead of the disease itself.

EDIT: While the question was intended to be very specifc in nature with regard to devices on the market, I don't really know if an answer can be given without adding proper context.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • And what would you say that "disease" is? – Iszi Mar 10 '11 at 03:42
  • @Iszi the 'disease' would be environmental security. See edited note. – Steve Mar 10 '11 at 08:27
  • Even environmental security in most cases is compromisable by insider threats. A secure keyboard is one way of defending against such compromise. – Iszi Mar 10 '11 at 16:26
  • @Iszi err...how? The insider could just watch the person type in the password... – Steve Mar 10 '11 at 19:06
  • I said "one way", not "the only way" or "the ultimate way". Besides, EMF snooping is much more surreptitious than shoulder-surfing or even using a spy camera. (And again, it is the only method intended to be within the scope of this question.) – Iszi Mar 10 '11 at 19:41
5

TEMPEST is the program designed to protect against EM compromise. This type of hardware is expensive, but is available for both commercial and governmental usage.

Look here for one example: http://www.advprograms.com/accessories.htm

There are other manufacturers of this equipment conforming to higher (and of course lower) levels of the TEMPEST specification. If you're not familiar with the program, wikipedia has a decent enough primer (and links to good NATO/DOD resources) of what has been declassified.

http://en.wikipedia.org/wiki/TEMPEST

iivel
  • 1,583
  • 10
  • 13
4

I'm a bit surprised none of the other posts provide a definitive answer to such an objective question. Keyboards certified for USA NSTISSAM / NATO SDIP-27 (EMSEC standards that specify, among other things, appropriate electromagnetic radiation shielding against RFI/EMI) absolutely exist. Take for example this TEMPEST keyboard from Emcon, which is certified for TEMPEST level 1:

This device is certified to NSTISSAM TEMPEST/1-92, Level I; CID09/15A, Level I; and SDIP-27/2. Level A (providing the equipment and associated systems are installed to the requirements identified in SDIP-29).

There are also certified computers, printers, smart card readers, power supplies, and even monitors. This answers your question as to whether or not they exist. Whether or not you can buy them easily is another matter. You may need a .gov email address to even contact some of these suppliers (especially those that provide bespoke hardware and not just COTS solutions like the above). The prices are typically very high compared to non-certified devices.

forest
  • 64,616
  • 20
  • 206
  • 257
3

Virtual keyboards are the most secure. If you want to have a truly secure keyboard, you need to have something onscreen that the user can click. Anything physical/wireless is vulnerable to access.

mrnap
  • 1,308
  • 9
  • 15
  • 5
    Many display technologies also emit radiation which can be detected and remotely monitored, so virtual keyboards are by no means "truly secure". See e.g. http://en.wikipedia.org/wiki/TEMPEST – nealmcb Mar 10 '11 at 06:22
  • @nealmcb - Good point, but @mrnap's solution is still a good answer here since the question is specifically targeted at the keyboard itself. Maybe we should start another topic on monitors? – Iszi Mar 10 '11 at 13:52
  • 3
    @iszi Proper security analyses are based on protecting assets from threats. A typical display of a password entry from a physical keyboard does not show the password. If the display of the virtual keyboard leaks the actual keystroke information via the same electromagnetic spectrum, its not clear under what circumstances it might be better or worse than a physical keyboard. – nealmcb Mar 10 '11 at 15:40
  • @nealmcb - Very good point. I didn't think of that until I was replying to your other comment on the question. – Iszi Mar 10 '11 at 15:45
2

An attacker with physical access can beat anything. Period.

She can replace a known secure keyboard with an identical one that contains a keylogger. Install cameras that watch the screen, keyboard, etc.

A faraday cage can help you somewhat along, but data can leak anywhere, so you need to enclose all the components of your system or use optical links to transfer data between individual systems. And then you need to monitor that optical link for bugging devices.

http://en.wikipedia.org/wiki/Faraday_cage

Certain places have entire buildings built as a faraday cage, but what good is that when KGB intercept your secured typewriters in transit and install keyloggers.

Alex Holst
  • 777
  • 4
  • 12
  • 1
    Thanks, but this was not intended to be yet another generic "physical access trumps all" discussion. I'm looking to see if a very *specific* vulnerability can be addressed through purchase of the proper hardware. – Iszi Mar 09 '11 at 20:40
  • 2
    Not quite true @Alex - there are secure sealed keyboards with trusted hardware platforms that are in use in some specific environments... But yes, in 99% of situations physical access wins! – Rory Alsop Mar 09 '11 at 22:44
  • 1
    @RoryAlsop - What you describe sounds like exactly what I'm looking for in this question. Care to post your own answer? – Iszi Mar 09 '11 at 23:03
2

Are there any keyboards that are secured (via encryption, shielding, and/or other means) against monitoring via electronic signal leakage or interception?

Yes, some (all?) Bluetooth keyboards encrypt all keystroke data transmitted over the air. The Bluetooth protocol specifies several public-key pairing techniques that are resistant to man-in-the-middle attacks. (Does any keyboard actually use any of those anti-MITM techniques?)

Related: Serverfault: How secure is a bluetooth keyboard against password sniffing?

David Cary
  • 2,720
  • 4
  • 19
  • 20
  • First of all, Bluetooth typically uses the highly vulnerable E0 stream cipher (at least when this answer was written, that's _all_ it used). Second of all, OP is asking about RF signal leakage, not MITM of wireless protocols. **This does not even _try_ to answer the question.** -1 – forest Sep 14 '18 at 02:50