Keystrokes – Still the best way to get your password

How many times have you walked into a chain store, stepped up to the order counter, and seen the back of a PC, only shielded by the tip jar? Sure, there’s a lot of tools in the attacker’s arsenal for getting your most sensitive passwords, but it’s a hacker’s delight when they simply don’t have to try, because you’ve typed it out for them.

Some of the ways in involve:

  • Cracking weak encryption
  • Brute forcing attempts over and over again (a,b,c..1,2,3)
  • Common username and password guessing (dictionary attacks)

Truly where we’re most vulnerable is the transfer of that password between our brains and the input surface.

Nobody would notice if I just plug this between a keyboard and a computer, right?

There are numerous examples of of how your password can be derived using “emanations”.

Wireless Keyboards, (and mice): ditch em.

Convenient? Sure. Sometimes. Until those AA batteries start leaking. Most modern keyboards have some variant of encryption to battle eavesdropping. Most encryption is weakest when cryptography-keys don’t change, and when repetition is high. Like hitting the letter “e” in this paragraph two-dozen times. (Are you counting?)

In the end what you’ve got is a radio. Sometimes the signal is weak, so an intercepting receiver would have to be in the same room or office space, but that’s never been a problem for a good Yagi antenna and careful positioning of the relay or analysis hardware.

TEMPEST Attacks

The reproduction of wireless signals into intelligence data is a still very useful way to obtain password and other data without needing physical access to the target devices. One style of attack I found interesting was inspired by the TEMPEST program of the 1950s by US and British governments.  The reproduction of wireless signals into intelligence data is a very old concept.

I personally witnessed a Cathode-Ray-Tube monitor replicating an adjacent monitor (even through a wall).  It was “tuned and amplified” into the target monitor and displayed a mirror image in real time. Fuzzy, but good enough to distinguish letters in the low-res graphics of the early 90’s.

Acoustic Signatures Too!

That’s right. The letter “G” on my keyboard sounds different than all the other buttons, when depressed. To the human ear, the clickety-clack of any button on my mechanical keyboard sounds the same, but when that audio is analysed in a computer, it can easily be distinguished by markers such as “stickiness delay”, “tone”, volume, and a whole host of other derivations.

In most cases, for accuracy, and individual keyboard (or ATM pinpad) would have to be pre-recorded in order to achieve usable accuracy. When that’s not available though, sufficient length of recording could provide typing analysts with a data set that could be extrapolated (a space bar sound would sound markedly different, distinguish between words, and most phrases in a common language are predictable in length and number of keys stroked).

Still the easiest way: Over the Shoulder

Of course, sometimes it’s the “shoulder surfing” or physical breach of that device that can compromise a pin or password. Take a look at recent ATM skimmers, and you’ll see that they usually have a camera to watch a PIN being entered.

A camera is still a great way to watch pins.

Man in the Middle

Most businesses don’t think twice about exposing the USB cables of a rear-facing Point Of Sale system. A USB keylogger is small, and can be inserted between a keyboard wire and the USB port.

Keyloggers don’t even need you to return to the scene of the crime to collect the data from them. Some have wireless capabilities.

A persistent threat. Never needs batteries.

Inspect! Protect!

Is there a more easy way to gain access to passwords? Nope. The keylogger can reveal a lot and put your business, and your employees, under duress.

Take a moment and look at the back of countertop and business PC’s. Find a way to lock and cage your devices’ ports. Disconnect internal PC cabling when needed, install blanks.

Examine your computer systems envrionment and positioning. Explore what measures can be taken to remove the threat of keystroke detection and interception… RiPPUL can assist you with determining your risk.

Processing…
Success! You’re on the list.