[DefCon32] Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows
In a world where physical barriers seem to shield sensitive data, Samy Kamkar reveals how light and sound betray secrets. A renowned security researcher, Samy introduces a laser-based eavesdropping technique that captures keystrokes through glass windows, targeting air-gapped systems. His accessible approach, requiring minimal technical expertise, leverages physics to extract signals from noise, demonstrating vulnerabilities in seemingly secure environments.
Samy, known for past innovations like the MySpace worm, explores side-channel attacks rooted in historical TEMPEST research by the NSA and KGB. By directing lasers at reflective surfaces, he captures vibrations from typing or audio, decoding them into actionable data. This method, blending optical and radio signal processing, exposes the fragility of physical security in modern systems.
Physics of Signal Leakage
Samy demystifies how energy forms—light, sound, vibration—travel through air, undermining air-gapped systems. Electrical signals emit electromagnetic waves, capturable via radio or optical methods. His laser microphone, pointed at a window, detects minute vibrations from keystrokes or ambient sound, converting them into audible signals.
Historical attacks, like the KGB’s 1940s “The Thing” device, inform his approach. By combining affordable components like lasers and photodiodes, Samy reconstructs clear audio, demonstrating the technique’s accessibility.
Keystroke Recovery and Analysis
Using tools like FFmpeg and GNU Radio, Samy processes laser reflections to isolate keystroke sounds. Each key produces distinct acoustic signatures, which frequency analysis decodes, especially when paired with language models. For instance, 100–200 keystrokes suffice to infer typed content in English, akin to cracking a substitution cipher.
Demonstrations show a laptop’s reflective surface betraying typed text, with software recovering input at 10x speed. This highlights the technique’s real-world feasibility, even in noisy environments.
Mitigations and Challenges
Samy addresses noise reduction, a key challenge, by shifting processing to the radio domain, leveraging GNU Radio’s filtering capabilities. Potential defenses include anti-reflective coatings or white noise generators, though these are costly or impractical. He encourages exploring further signal processing improvements, such as advanced denoising algorithms.
The technique’s low cost—using consumer-grade lasers—makes it a potent threat, urging organizations to reassess physical security for sensitive systems.
Broader Implications for Security
Samy’s work extends beyond keyboards, suggesting vulnerabilities in any vibrating surface. He calls for community research into side-channel mitigations, emphasizing that “unhackable” claims invite scrutiny. His open-source tools, shared for experimentation, empower defenders to test and secure their environments.