While technically enthralling, the recent buzz over the vulnerability discovered in the way manufactures wire keyboards is unwarranted. While it is too late for the concept to be worked into the next James Bond movie due out in two weeks, I am sure it will make it into either the next James Bond or Mission Impossible film. The idea, explained in a blog posting at the Security and Cryptography Laboratory at the Ecole Polytechnique Fédérale de Lausanne in Switzerland, is that each key will emit slightly different electromagnetic signals when depressed. This is very similar to the Tempest concept of cathode ray tube images being reconstructed by remote sensing devices.
My contention is that while interesting this is not a threat that you should spend anytime worrying about. When was the last time you heard of a successful tempest attack? Or how about those proximity sensing card swipe machines? Have any hackers figured out how to steal money from your wallet when you brush against their illicit scanner? No. Some threats are possible, just not probable.
However, if you are truly worried about compromising key stroke emission sensing attacks have I got a solution for you: mylar bags!
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
Indeed - weakest link is OS, not HW
Richard,
Couldn't agree more. We tend to overestimate certain threats because of how spectacular and interesting they are. We also overestimate certain security technologies, as Bruce Schneier's article on quantum crypto suggests.
The truth, as you point out, is that these attacks are improbable. And part of the reason for that low probability is that there are much weaker links in the chain. It is easier to install a hardware keylogger than to scan emissions in most cases. It is infinitely easier yet to install a software keylogger on the OS - via a drive-by download on IE or a malware ridden email.
Why bother with emissions? See the US govt. who have had Tempest scanning systems for decades: several FBI cases have hinged on (warranted) keyboard snooping. All of them were software key-loggers, not tempest.