Compromising Electromagnetic Emanations of PS/2 Keyboards
Interim Project Report of Tempest Working Group 22,23,24 April 2009
hosted by xxxxx 1010.co.uk / Berlin
Bengt Sjölén, Danja Vasiliev, Gordan Savicic, Martin Howse
Any time a machine is used to process classified information electrically, the various switches, contacts.
relays, and other components in that machine may emit radio frequency or acoustic energy.
... This problem of compromising radiation we have given the covername TEMPEST.
[TEMPEST: A Signal Problem. NSA 1972]
More information about TEMPEST at 1010.co.uk
We were using an standard QWERTZ german layout PS/2 (AT) keyboard hooked up to the computer via a PS/2-USB converter.
Data Signal of PS/2 protocol has been picked up at 12.004 Mhz (clock signal of USB1 device) which happens to be
keyboard-scancode carrier frequency.
The keyboard uses a serial protocol with 11-bit frames. These bits are:
* 1 start bit. This is always 0.
* 8 data bits, least significant bit first.
* 1 parity bit (odd parity).
* 1 stop bit. This is always 1.
In our expirement two different keys were pressed:
P -> KeyNum 26 -> Scancode 0x4D
Ä -> KeyNum 41 -> Scancode 0x52 (Ä resembles the ";" on QWERTY keyboards)
Useful information about ps2:
Using USRP & GNU Radio
* USRP Gnu Radio with LFRX 0-30MHz Module from http://www.ettus.com/
* 1 meter wire as antenna
* Modified the usrp_am_mw_rcv.py from gnuradio examples (changed bandpass settings, added file_sink)
* Audacity for analysing RAW data
# python usrp_am_mw_rcv-file.py -f 12.004M -n tempestoutput.raw
RAW data was imported as 32bit float, 128000 Samples into Audacity
Download Audacity project including RAW files