Posts Tagged ‘SideChannelAttacks’
[DefCon32] Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows
In a world where physical barriers seem to shield sensitive data, Samy Kamkar reveals how light and sound betray secrets. A renowned security researcher, Samy introduces a laser-based eavesdropping technique that captures keystrokes through glass windows, targeting air-gapped systems. His accessible approach, requiring minimal technical expertise, leverages physics to extract signals from noise, demonstrating vulnerabilities in seemingly secure environments.
Samy, known for past innovations like the MySpace worm, explores side-channel attacks rooted in historical TEMPEST research by the NSA and KGB. By directing lasers at reflective surfaces, he captures vibrations from typing or audio, decoding them into actionable data. This method, blending optical and radio signal processing, exposes the fragility of physical security in modern systems.
Physics of Signal Leakage
Samy demystifies how energy forms—light, sound, vibration—travel through air, undermining air-gapped systems. Electrical signals emit electromagnetic waves, capturable via radio or optical methods. His laser microphone, pointed at a window, detects minute vibrations from keystrokes or ambient sound, converting them into audible signals.
Historical attacks, like the KGB’s 1940s “The Thing” device, inform his approach. By combining affordable components like lasers and photodiodes, Samy reconstructs clear audio, demonstrating the technique’s accessibility.
Keystroke Recovery and Analysis
Using tools like FFmpeg and GNU Radio, Samy processes laser reflections to isolate keystroke sounds. Each key produces distinct acoustic signatures, which frequency analysis decodes, especially when paired with language models. For instance, 100–200 keystrokes suffice to infer typed content in English, akin to cracking a substitution cipher.
Demonstrations show a laptop’s reflective surface betraying typed text, with software recovering input at 10x speed. This highlights the technique’s real-world feasibility, even in noisy environments.
Mitigations and Challenges
Samy addresses noise reduction, a key challenge, by shifting processing to the radio domain, leveraging GNU Radio’s filtering capabilities. Potential defenses include anti-reflective coatings or white noise generators, though these are costly or impractical. He encourages exploring further signal processing improvements, such as advanced denoising algorithms.
The technique’s low cost—using consumer-grade lasers—makes it a potent threat, urging organizations to reassess physical security for sensitive systems.
Broader Implications for Security
Samy’s work extends beyond keyboards, suggesting vulnerabilities in any vibrating surface. He calls for community research into side-channel mitigations, emphasizing that “unhackable” claims invite scrutiny. His open-source tools, shared for experimentation, empower defenders to test and secure their environments.
Links:
[DefCon32] Open Sesame: How Vulnerable Is Your Stuff in Electronic Lockers?
In environments where physical security intersects with digital convenience, electronic lockers promise safeguard yet often deliver fragility. Dennis Giese and Braelynn, independent security researchers, scrutinize smart locks from Digilock and Schulte-Schlagbaum AG (SAG), revealing exploitable weaknesses. Their analysis spans offices, hospitals, and gyms, where rising hybrid work amplifies reliance on shared storage. By demonstrating physical and side-channel attacks, they expose why trusting these devices with valuables or sensitive data invites peril.
Dennis, focused on embedded systems and IoT like vacuum robots, and Braelynn, specializing in application security with ventures into hardware, collaborate to dissect these “keyless” solutions. Marketed as leaders in physical security, these vendors’ products falter under scrutiny, succumbing to firmware extractions and key emulations.
Lockers, equipped with PIN pads and RFID readers, store laptops, phones, and documents. Users input codes or tap cards, assuming protection. Yet, attackers extract master keys from one unit, compromising entire installations. Side-channel methods, like power analysis, recover PINs without traces.
Firmware Extraction and Key Cloning
Dennis and Braelynn detail extracting firmware via JTAG or UART, bypassing protections on microcontrollers like AVR or STM32. Tools like Flipper Zero emulate RFID, cloning credentials cheaply. SAG’s locks yield to voltage glitching, dumping EEPROM contents including master codes.
Digilock’s vulnerabilities allow manager key retrieval, granting universal access. They highlight reusing PINs across devices—phones, cards, lockers—as a critical error, enabling cross-compromise.
Comparisons with competitors like Ojmar reveal similar issues: unencrypted storage, weak obfuscation. Attacks require basic tools, underscoring development oversights.
Side-Channel and Physical Attacks
Beyond digital, physical vectors prevail. Power consumption during PIN entry leaks digits via oscilloscopes, recovering codes swiftly. RFID sniffing captures credentials mid-use.
They address a cease-and-desist from Digilock, withdrawn post-legal aid from EFF, emphasizing disclosure challenges. Despite claims of security, these locks lack military-grade assurances, sold as standard solutions.
Mitigations include enabling code protection, though impractical for legacy units. Firmware updates are rare, leaving replacement or ignorance as options.
Lessons for Enhanced Security
Dennis and Braelynn advocate security-by-design: encrypt secrets, anticipate attacks. Users should treat locker PINs uniquely, avoid loaning keys, and recognize limitations.
Their findings illuminate cyber-physical risks, urging vigilance around everyday systems. Big firms err too; development trumps breaking in complexity.
Encouraging ethical exploration, they remind that “unhacked” claims invite scrutiny.