Compromising Electromagnetic Emanations of PS/2 Keyboards

Interim Project Report of Tempest Working Group 22,23,24 April 2009
hosted by xxxxx 1010.co.uk / Berlin

Bengt Sjölén, Danja Vasiliev, Gordan Savicic, Martin Howse
Any time a machine is used to process classified information electrically, the various switches, contacts.
relays, and other components in that machine may emit radio frequency or acoustic energy.

... This problem of compromising radiation we have given the covername TEMPEST.

[TEMPEST: A Signal Problem. NSA 1972]

More information about TEMPEST at 1010.co.uk		

Understanding PS/2

We were using an standard QWERTZ german layout PS/2 (AT) keyboard hooked up to the computer via a PS/2-USB converter. 
Data Signal of PS/2 protocol has been picked up at 12.004 Mhz (clock signal of USB1 device) which happens to be 
keyboard-scancode carrier frequency. 

The keyboard uses a serial protocol with 11-bit frames.  These bits are:


	* 1 start bit.  This is always 0.
	* 8 data bits, least significant bit first.
	* 1 parity bit (odd parity).
	* 1 stop bit.  This is always 1.

 

In our expirement two different keys were pressed:

P -> KeyNum 26 -> Scancode 0x4D
Ä -> KeyNum 41 -> Scancode 0x52 (Ä resembles the ";" on QWERTY keyboards)

Useful information about ps2:
http://www.barcodeman.com/altek/mule/scandoc.php
http://computer-engineering.org/ps2protocol/

Using USRP & GNU Radio



Hardware Setup:

	* USRP Gnu Radio with LFRX 0-30MHz Module from http://www.ettus.com/
	* 1 meter wire as antenna

Software:

	* Modified the usrp_am_mw_rcv.py from gnuradio examples (changed bandpass settings, added file_sink)
	* Audacity for analysing RAW data

Execution:

	# python usrp_am_mw_rcv-file.py -f 12.004M -n tempestoutput.raw  


Analysis

RAW data was imported as 32bit float, 128000 Samples into Audacity



Download Audacity project including RAW files