What's new

Afraid of the NSA? Not even a typewriter will hide you from their eyes!

SvenSvensonov

PROFESSIONAL
Joined
Oct 15, 2014
Messages
1,617
Reaction score
207
Country
United States
Location
Sweden
The references, due to their formatting and excess use of hyperlinks and strange symbols tends to cause moderation issues, I've omitted them for now, but will try to include them after tweaking their formatting a bit.


In the wake of the NSA spying revelations (to those not familiar with them) the German BND decided to return to typewriters instead of computer based documents and communications. It won’t make a difference


Here's why


INTRODUCTION


This paper reports on recovering keystrokes typed on a keyboard from a sound recording of the user typing. Emanations produced by electronic devices have long been a topic of concern in the security and privacy communities. Both electromagnetic and optical emanations have been used as sources for attacks. For example, Kuhn was able to recover the display on CRT and LCD monitors using indirectly reflected optical emanations. Acoustic emanations are another source of data for attacks. Researchers have shown that acoustic emanations of matrix printers carry substantial information about the printed text. Some researchers suggest it may be possible to discover CPU operations from acoustic emanations in ground-breaking research, Asonov and Agrawal showed that it is possible to recover text from the acoustic emanations from typing on a keyboard.


Most emanations, including acoustic keyboard emanations, are not uniform across different instances, even when the same device model is used; and they are affected by the environment. Different users on a single keyboard or different keyboards (even of the same model) emit different sounds, making reliable recognition hard. Asonov and Agrawal achieved relatively high recognition rate (approximately 80 percent) when they trained neural networks with text-labeled sound samples of the same user typing on the same keyboard. Their attack is analogous to a known-plaintext attack on a cipher – the cryptanalyst has a sample of plaintext (the keys typed) and the corresponding cipher-text (the recording of acoustic emanations). This labeled training sample requirement suggests a limited attack, because the attacker needs to obtain training samples of significant length. Presumably these could be obtained from video surveillance or network sniffing. However, video surveillance in most cases should render the acoustic attack irrelevant, because even if passwords are masked on the screen, a video shot of the keyboard could directly reveal the keys being typed.


In this paper we argue that a labeled training sample requirement is unnecessary for an attacker. This implies keyboard emanation attacks are more serious than previous work suggests. The key insight in our work is that the typed text is often not random. When one types English text, the finite number of mostly used English words limits possible temporal combinations of keys, and English grammar limits word combinations. One can first cluster (using unsupervised methods) keystrokes into a number of acoustic classes based on their sound. Given sufficient (unlabeled) training samples, a most-likely mapping between these acoustic classes and actual typed characters can be established using the language constraints.


THE ATTACK


We take a recording of a user typing English text on a keyboard, and produce a recognizer that can, with high accuracy, determine subsequent keystrokes from sound recordings if it is typed by the same person, with the same keyboard, under the same recording conditions. These conditions can easily be satisfied by, for example, placing a wireless microphone in the user’s work area or by using parabolic or laser microphones from a distance. Although we do not necessarily know in advance whether a user is typing English text, in practice we can record continuously, try to apply the attack, and see if meaningful text is recovered.


It contains the following steps,


Feature extraction.


We use cepstrum features, a technique developed by researchers in voice recognition. As we discuss below, cepstrum features give better results than FFT.


Unsupervised key recognition


Using unlabeled training data. We cluster each keystroke into one of K acoustic classes, using standard data clustering methods. K is chosen to be slightly larger than the number of keys on the keyboard. If these acoustic clustering classes correspond exactly to different keys in a one-to-one mapping, we can easily determine the mapping between keys and acoustic classes. However, clustering algorithms are imprecise. Keystrokes of the same key are sometimes placed in different acoustic classes and conversely keystrokes of different keys can be in the same acoustic class. We let the acoustic class be a random variable conditioned on the actual key typed. A particular key will be in each acoustic class with a certain probability. In well clustered data, probabilities of one or a few acoustic classes will dominate for each key. Once the conditional distributions of the acoustic classes are determined, we try to find the most likely sequence of keys given a sequence of acoustic classes for each keystroke. Naively, one might think picking the letter with highest probability for each keystroke yields the best estimation and we can declare our job done.


Spelling and grammar checking


We use dictionary-based spelling correction and a simple statistical model of English grammar. These two approaches, spelling and grammar, are combined in a single Hidden Markov Model. This increases the character accuracy rate to over 70 percent, yielding a word accuracy rate of about 50 percent or more. At this point, the text is quite readable


Feedback-based training


Feedback-based training produces a keystroke acoustic classifier that does not require an English spelling and grammar model, enabling random text recognition, including password recognition. In this step, we use the previously obtained corrected results as labeled training samples. Note that our corrected results are not 100 percent correct. We use heuristics to select words that are more likely to be correct. For examples, a word that is not spell-corrected or one that changes only slightly during correction in the last step is more likely to be correct than those that had more changes. In our experiments, we pick out those words with fewer than one-fourth of the characters corrected and use them as labeled samples to train an acoustic classifier. The recognition phase recognizes the training samples again. This second recognition typically yields a higher keystroke accuracy rate. We use the number of corrections made in the spelling and grammar correction step as a quality indicator. Fewer corrections indicate better results. The same feedback procedure is performed repeatedly until no significant improvement is seen. In our experiments, we perform three feedback cycles. Our experiments indicate both linear classification and Gaussian mixtures perform well as classification algorithms and both are better than neural networks as used in. In our experiments, character accuracy rates (without a final spelling and grammar correction step) reach up to 92 percent.


The second phase, the recognition phase, uses the trained keystroke acoustic classifier to recognize new sound recordings. If the text consists of random strings, such as passwords, the result is output directly. For English text, the above spelling and grammar language model is used to further correct the result. To distinguish between two types of input, random or English, we apply the correction and see if reasonable text is produced. In practice, a human attacker can typically determine if text is random. An attacker can also identify occasions when the user types user names and passwords. For example, password entry typically follows a URL for a password protected website. Meaningful text recovered from the recognition phase during an attack can also be fed-back to the first phase. These new samples along with existing samples can be used together to increase the accuracy of the keystroke classifier.


Keystroke Extraction


Typical users can type up to about 300 characters per minutes. Keystrokes consist of a push and a release. Our experiments confirm Asonov and Agrawal’s observation that the period from push to release is typically about 100 milliseconds. That is, there is usually more than 100 milliseconds between consecutive keystrokes, which is large enough to distinguish the consecutive keystrokes. We need to detect the start of a keystroke, which is essentially the start of the push peak in a keystroke acoustic signal.


We distinguish between keystrokes and silence using energy levels in time windows. In particular, we calculate windowed discrete Fourier transform of the signal and use the sum of all FFT coefficients as energy. We use a threshold to detect the start of keystrokes.


Features: Cepstrum vs. FFT


Given the start of each keystroke, features of this keystroke are extracted from the audio signal during the period from wavposition to wavposition plus delta-theta. Our experiments compared two different types of features. First we used FFT features, as in. This time period roughly corresponds to the touch peak of the keystroke, which is when the finger touches the key. An alternative would be to use the hit peak, when the key hits the supporting plate. The hit peak is harder to pinpoint in the signal, so our experiments used the touch peak.


Next, we used cepstrum features. Cepstrum features are widely used in speech analysis and recognition Cepstrum features have been empirically verified to be more effective than plain FFT coefficients for voice signals. In particular, we used Mel-Frequency Cepstral Coefficients (MFCCs).


Asonov and Agrawal’s observation shows that high frequency acoustic data provides limited value. We ignore data over 12KHz. After feature extraction, each keystroke is represented as a vector of features (FFT coefficients or MFCCs).


Defenses


Since our attack is based on acoustic signal through passively eavesdropping, it is more difficult to detect this type of attacks than active attacks where attackers actively interact with victims. Here are some preliminary areas for potential defenses:


Reduce the possibility of leaking acoustic signals. Sound proving may help, but given the effectiveness of modern parabolic and laser microphones, the standards are very high.


Quieter keyboards as suggested by Asonov and Agrawal may reduce vulnerability. However, the two so-called “quiet” keyboards we used in our experiments proved ineffective against the attack. Asonov and Agrawal also suggest that keyboard makers could produce keyboards having keys that sound so similar that they are not easily distinguishable. They claim that one reason keys sound different today is that the plate underneath the keys makes different sounds when hit at different places. If this is true, using a more uniform plate may alleviate the attack. However, it is not clear whether these kinds of keyboards are commercially viable. Also, there is the possibility that more subtle differences between keys can still be captured by an attacker. Further, keyboards may develop distinct keystroke sounds after months of use.


Another approach is reduce the quality of acoustic signal that could be acquired by attackers. We could add masking noise while typing. However, we are not sure that masking noises might not be easily separated out. As we discussed above, an array of directional microphones may be able to record and distinguish sound into multiple channels according to the locations of the sound sources. This defense could also be ineffective when attackers are able to collect more data. Reducing the annoyance of masking is also an issue. Perhaps a short window of noise could be added at every predicted push peak. This may be more acceptable to users than continuous masking noise. Alternatively, perhaps we could randomly insert noise windows which sound like push peaks of keystrokes.


The practice of relying only on typed passwords or even long passphrases should be reexamined. One alternative is two-factor authentication that combines passwords or pass-phrases with smart cards, one-time-password tokens, biometric authentication and. However two-factor authentication does not solve all our problems. Typed text other than passwords is also valuable to attackers.


CONCLUSION


Our new attack on keyboard emanations needs only acoustic recording of typing using a keyboard and recovers the typed content. Compared to previous work that requires clear-text labeled training data, our attack is more general and serious. More important, the techniques we use to exploit inherent statistical constraints in the input and to perform feedback training can be applied to other emanations with similar properties.



@Oscar @Slav Defence @Jungibaaz @Gufi @Nihonjin1051 @AMDR @AUSTERLITZ @levina
 
.
Interesting that this sort of occurred to me a few years ago when someone told me that PAKmil had resorted to such tactics in the wake of some serious concerns regarding Compass Call flights near the Afg Border.
However, I think that the ultimate solution lies in skipping the wave spectrum altogether..which is rather odd considering that the whole universe is waves at some point; but what if those transmitting at some point could be skipped for something a little more old school? Like projectile communication.
 
.
So now we have to work to produce stealth typewriters :undecided:, minimized acoustic signatures. Why not start with hand written documentation....It wont require all this fuss...
 
Last edited:
.
use this now
Carrier%20Pigeon_0.jpg
 
.
In other words, when the NSA does it to the world it is justified, but when China or other nations resort to similar tactics it is illegal and hostile. Nice one. Yep, we're not even safe using typewriters. Thanks for reminding us NSA.
 
Last edited:
.
:crazy:reading comprehension not your strong suit? Please find where I wrote that the NSA gets a free pass while Chinese intelligence is damned. You're inferring far to much from the title I appropriated to this thread. You shouldn't be, it was a relevant example, nothing more.

Also, all nations consider their own spying justified and all others hostile, not just the US and the NSA.

Who has asked you anything? :crazy: Did I perhaps hit a sensitive nerve? Of course I did.

I was only conveying my opinion regarding the NSA and their arrogance. They tap the entire world (including their allies) and wonder why people question their arrogance. Don't like my opinion? Don't read it. Your knee-jerk reaction was to be expected though.
 
Last edited:
.
Interesting that this sort of occurred to me a few years ago when someone told me that PAKmil had resorted to such tactics in the wake of some serious concerns regarding Compass Call flights near the Afg Border.
However, I think that the ultimate solution lies in skipping the wave spectrum altogether..which is rather odd considering that the whole universe is waves at some point; but what if those transmitting at some point could be skipped for something a little more old school? Like projectile communication.

Can you elaborate, please?
 
. . .
No i meant, what tactics did Pakistan resort to?

What is Faraday cage? - Definition from WhatIs.com

Faraday cage - Wikipedia, the free encyclopedia



ALUMINUM FOIL HOUSE WRAP KILLS WI-FI SIGNALS

Filed under: Electrical, Thermal & Moisture Protection — Tags: radio waves in buildings


Radio signals like mobile phone, Wi-Fi and even satellite TV do a fairly good job passing through stud walls and windows to get into buildings. Over the years I’ve noticed that Pre-Engineered Buildings tend to do poorly with radio signals because the metal roof and walls reflect those radio waves rather than let them pass.

This month’s cover story for PC Pro describes how house construction materials can have a huge effect on your radio wave reception inside the walls. A simple choice of construction materials could lead to many annoying moments inside your new home or office.



The article includes this photo showing a house being constructed with a aluminum foil faced house wrap. The product appears to be Protect TF200 Thermo. From a thermal prospective, this product would be superior toTyvek House Wrap because it would reflect some thermal radiation back into the heated space along with helping control the air leaks of infiltration. I believe that thermal advantage would be minimal, but the radio interference could be a major annoyance. I will use a Tyvek type product, or building paper, when house wrap is needed in the future.


wifi-Foil-house.jpg


On office buildings, we sometimes use Thermax cavity wall insulation between the concrete block and the brick. Thermax has an aluminum foil backing that would also reflect radio waves. In the future, I’ll be specifyingStyrofoam for cavity wall insulation, to improve the Wi-Fi and mobile phone experience of the future users.

Admittedly I haven’t seen the science on this issue, no real test studies that I know of. But my own experience, as well as my understanding of basic physics, leads me to conclude that I want to avoid foil wraps on walls and roofs when I can. Since products exist that do a similar job at the same cost, I’m going to forgo the (what I think to be slight) thermal benefit in hopes of not messing up mobile phone and Wi-Fi reception.

By the way, if you’re in a home or office that has terrible radio wave reception and discover you have foil backed house wrap or roofing, you are probably up the proverbial creek paddle-less. Since there aren’t any simple fixes, it’s worthwhile to try to avoid the situation on future projects.

Thanks to Kneal for yet again finding items of interest. You are truly the geek’s geek. And, of course, I mean that in the best possible way.

Comments (2)
2 RESPONSES TO “ALUMINUM FOIL HOUSE WRAP KILLS WI-FI SIGNALS”


  1. ab9e4062c2ed47ef93fc0b0c26649b8c
    Gond says:
    January 23, 2012 at 8:40 pm
    As a network engineer for a large company, I would like to point out that having a Wi-fi reflective coating on external walls is actually desirable by a lot of companies. The logic is that we don’t want anyone outside of the building being able to hack our wireless networks, so if they can’t see the radio signals, they can’t attempt a hack. Just something to consider.
Aluminum Foil House Wrap Kills Wi-Fi Signals « Construction Knowledge



Why Does Aluminum Foil Block Cell Phone Signals?
by J.T. Barett, Demand Media

Metal blocks the radio signals cell phones use to communicate.

A cell phone, wrapped in a layer of aluminum foil, cannot receive calls. The foil, an electrical conductor, creates a barrier called a Faraday Cage around the phone, blocking the radio signals on which it operates. You can easily demonstrate this for yourself by placing a phone on a sheet of aluminum foil, folding the foil over until you completely cover the device, and then calling its number -- the phone will not ring.


RADIO WAVES AND FIELDS
Radio waves, such as those used to carry cell phone signals, are an example of electromagnetic radiation, moving electric fields that travel at the speed of light. An aluminum-foil barrier cancels the fields, so a radio wave cannot pass through it. A cell phone surrounded on all sides by foil receives no radio waves.

FARADAY CAGE
Scientists use a structure called a Faraday Cage to provide an area free of radio signals in order to perform sensitive experiments or to test electronic equipment. The cage is simply an enclosed box made of an electrical conductor such as aluminum. The conductor's thickness has little effect on signal blocking; thin foils or heavy plates work equally well. The cage can have holes, gaps or windows, provided they are much smaller than the shortest wavelength of radio signal you want to block. The door on a microwave oven, for example, has a wire mesh; the holes in the mesh let you see inside the oven while keeping the microwaves safely inside.

TWO-WAY BLOCKING
While the Faraday Cage formed by aluminum foil surrounding a cell phone keeps signals from reaching it, it also blocks signals coming from the cell phone. If you sat inside a Faraday Cage the size of a small room with a cell phone, you would not be able to make any calls because the cell tower would not receive your signal. You could communicate with a partner using walkie-talkies inside the cage, but not to anyone outside it.

OTHER CONDUCTORS
Although aluminum foil is easy to obtain, you can use any good conductor to block cell phone signals. Copper and zinc are both excellent conductors that make effective Faraday Cages. Iron and steel are also good conductors; steel-framed buildings often have many cell signal dead zones because the beams form unintended Faraday Cages, blocking radio waves.

Why Does Aluminum Foil Block Cell Phone Signals? | Science - Opposing Views


With such measures in Place, communication is then done through highly secure fiber-optics or Shielded twisted pair cables and you would need physical access to cables to hack in to networks.
 
Last edited:
.
What is Faraday cage? - Definition from WhatIs.com

Faraday cage - Wikipedia, the free encyclopedia



ALUMINUM FOIL HOUSE WRAP KILLS WI-FI SIGNALS

Filed under: Electrical, Thermal & Moisture Protection — Tags: radio waves in buildings


Radio signals like mobile phone, Wi-Fi and even satellite TV do a fairly good job passing through stud walls and windows to get into buildings. Over the years I’ve noticed that Pre-Engineered Buildings tend to do poorly with radio signals because the metal roof and walls reflect those radio waves rather than let them pass.

This month’s cover story for PC Pro describes how house construction materials can have a huge effect on your radio wave reception inside the walls. A simple choice of construction materials could lead to many annoying moments inside your new home or office.



The article includes this photo showing a house being constructed with a aluminum foil faced house wrap. The product appears to be Protect TF200 Thermo. From a thermal prospective, this product would be superior toTyvek House Wrap because it would reflect some thermal radiation back into the heated space along with helping control the air leaks of infiltration. I believe that thermal advantage would be minimal, but the radio interference could be a major annoyance. I will use a Tyvek type product, or building paper, when house wrap is needed in the future.


wifi-Foil-house.jpg


On office buildings, we sometimes use Thermax cavity wall insulation between the concrete block and the brick. Thermax has an aluminum foil backing that would also reflect radio waves. In the future, I’ll be specifyingStyrofoam for cavity wall insulation, to improve the Wi-Fi and mobile phone experience of the future users.

Admittedly I haven’t seen the science on this issue, no real test studies that I know of. But my own experience, as well as my understanding of basic physics, leads me to conclude that I want to avoid foil wraps on walls and roofs when I can. Since products exist that do a similar job at the same cost, I’m going to forgo the (what I think to be slight) thermal benefit in hopes of not messing up mobile phone and Wi-Fi reception.

By the way, if you’re in a home or office that has terrible radio wave reception and discover you have foil backed house wrap or roofing, you are probably up the proverbial creek paddle-less. Since there aren’t any simple fixes, it’s worthwhile to try to avoid the situation on future projects.

Thanks to Kneal for yet again finding items of interest. You are truly the geek’s geek. And, of course, I mean that in the best possible way.

Comments (2)
2 RESPONSES TO “ALUMINUM FOIL HOUSE WRAP KILLS WI-FI SIGNALS”


  1. ab9e4062c2ed47ef93fc0b0c26649b8c
    Gond says:
    January 23, 2012 at 8:40 pm
    As a network engineer for a large company, I would like to point out that having a Wi-fi reflective coating on external walls is actually desirable by a lot of companies. The logic is that we don’t want anyone outside of the building being able to hack our wireless networks, so if they can’t see the radio signals, they can’t attempt a hack. Just something to consider.
Aluminum Foil House Wrap Kills Wi-Fi Signals « Construction Knowledge



Why Does Aluminum Foil Block Cell Phone Signals?
by J.T. Barett, Demand Media

Metal blocks the radio signals cell phones use to communicate.

A cell phone, wrapped in a layer of aluminum foil, cannot receive calls. The foil, an electrical conductor, creates a barrier called a Faraday Cage around the phone, blocking the radio signals on which it operates. You can easily demonstrate this for yourself by placing a phone on a sheet of aluminum foil, folding the foil over until you completely cover the device, and then calling its number -- the phone will not ring.


RADIO WAVES AND FIELDS
Radio waves, such as those used to carry cell phone signals, are an example of electromagnetic radiation, moving electric fields that travel at the speed of light. An aluminum-foil barrier cancels the fields, so a radio wave cannot pass through it. A cell phone surrounded on all sides by foil receives no radio waves.

FARADAY CAGE
Scientists use a structure called a Faraday Cage to provide an area free of radio signals in order to perform sensitive experiments or to test electronic equipment. The cage is simply an enclosed box made of an electrical conductor such as aluminum. The conductor's thickness has little effect on signal blocking; thin foils or heavy plates work equally well. The cage can have holes, gaps or windows, provided they are much smaller than the shortest wavelength of radio signal you want to block. The door on a microwave oven, for example, has a wire mesh; the holes in the mesh let you see inside the oven while keeping the microwaves safely inside.

TWO-WAY BLOCKING
While the Faraday Cage formed by aluminum foil surrounding a cell phone keeps signals from reaching it, it also blocks signals coming from the cell phone. If you sat inside a Faraday Cage the size of a small room with a cell phone, you would not be able to make any calls because the cell tower would not receive your signal. You could communicate with a partner using walkie-talkies inside the cage, but not to anyone outside it.

OTHER CONDUCTORS
Although aluminum foil is easy to obtain, you can use any good conductor to block cell phone signals. Copper and zinc are both excellent conductors that make effective Faraday Cages. Iron and steel are also good conductors; steel-framed buildings often have many cell signal dead zones because the beams form unintended Faraday Cages, blocking radio waves.

Why Does Aluminum Foil Block Cell Phone Signals? | Science - Opposing Views


With such measures in Place, communication is then done through highly secure fiber-optics or Shielded twisted pair cables and you would need physical access to cables to hack in to networks.

A Faraday cage blocks electronic signals only below the rating of the Faraday cage, but it won't block sound waves, as is the method of gathering intelligence on a typewriter.

For an automatic typewriter, yes, a Faraday cage would be effective at stopping electronic snooping. But in both cases, an automatic and analogue typewriter would still face the threat of acoustic snooping.
 
.
A Faraday cage blocks electronic signals only below the rating of the Faraday cage, but it won't block sound waves, as is the method of gathering intelligence on a typewriter.

For an automatic typewriter, yes, a Faraday cage would be effective at stopping electronic snooping. But in both cases, an automatic and analogue typewriter would still face the threat of acoustic snooping.

Parabolic and Laser microphones or whatever the classified devices used in on acoustic snooping must have distance constraints. Taking an example of spy shows or movies where FBI employees parabolic antennas to listen on to person conversations on whom mic can't implanted. The distance was mostly within 500-1000 meters. Not to forget other atmospheric constraints which attenuates the sounds emanating from typewriters as well building materials and coatings which would absorb sound waves. (Sound insulations and absorptions)

Soundproofing and acoustic insulation

Sound insulation - Paroc.com

Sound absorption - Paroc.com


Absorption (acoustics) - Wikipedia, the free encyclopedia

With proper security cordon around the building, you can make it impossible for the snooping team to be within acceptable distance to capture sound waves.

Ofcourse I'm assuming lot of things and might be wrong.
 
Last edited:
.
The system likely also uses probability algorithms to determine which alphabet is typed (Vowels are used more often than other alphabets).

There is a relatively easy solution to this sort of espionage. Zero sound generated. I shouldn't say it incase our armed forces are also using that particular solution.
 
.
Back
Top Bottom