Security
Headlines
HeadlinesLatestCVEs

Headline

Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes

Hacker Samy Kamkar is debuting his own open source version of a laser microphone—a spy tool that can invisibly pick up the sounds inside your home through a window, and even the text you’re typing.

Wired
#web#mac#windows#apple#git#intel

In a famous scene from the 1992 movie Sneakers, a hacker classic, the main characters park a surveillance van across the street from their target’s office and point a telephoto lens through his window—only to find that their view of his computer keyboard is blocked by the surprise entrance of his love interest at the precise moment when he types his password. The surveillance team ends up watching and rewatching their partially obstructed VHS video of his keystrokes, bickering comically about the layout of a QWERTY keyboard.

Today, with a few decades of surveillance tech advancements and some clever feats of physics, all it would take to grab that password—as well as anything typed on the computer, or, for that matter, every word spoken in the room—would be a well-aimed infrared laser.

At the Defcon security conference this weekend in Las Vegas, renowned hacker Samy Kamkar plans to debut his own DIY advances in a form of laser-based surveillance, demonstrating that he can point a laser that’s invisible to the human eye at a faraway laptop, through a window, and detect the computer’s vibrations to reconstruct virtually every character typed on it. The trick, which takes advantage of the subtle acoustics created by tapping different keys on a computer, works even without a view of the computer’s keyboard, so long as the hacker has a line-of-sight view of any relatively reflective portion of the target laptop.

In the process of perfecting that light-based keystroke eavesdropping technique, Kamkar says he’s also created what may well be one of the world’s most high-fidelity implementations of a laser microphone—a tool that bounces a laser off a room’s window to detect its vibrations and record all the sounds inside—or at least, one of the most advanced such laser microphones whose technical details have been publicly released. (Kamkar plans to publish the full schematics on his website and GitHub.) The result is an open-source spying setup that can, in various forms, potentially pick up virtually everything either typed or spoken aloud in a surveillance target’s room.

Kamkar says he’s been determined to build his own laser-based spy setup since he watched a Defcon talk 15 years ago, in which a pair of hackers demonstrated some rudimentary detection of keystrokes with a laser pointed at a laptop from across a room. “It blew my mind. ‘I want to do this,’” Kamkar says he remembers thinking. “But I also wanted to improve the attack. Can I make it work from outside, from far away? Can I do it with an infrared laser so the target can’t see it? And can I also hear what’s happening in the room, such as by bouncing the laser off a window?”

The answers: Yes to all the above. The video below shows an example of Kamkar’s prototype setup–he tested it through different windows of his house with varying results—with his infrared laser outside pointed at his Macbook inside, where he’s typing and listening to music.

Here’s a sample of text he was able to recover in one case from his own typing, compared to the original:

Kamkar says that his keystroke spying trick works best when he can aim his laser at a spot on a laptop that reflects light—ideally a shiny metal or plastic spot on the laptop’s case, such as a logo. “The Apple logo is nearly a mirror,” he says. “So that’s a really good reflective surface.” The video clip below, captured with an infrared camera and steam to make the laser’s path visible, shows Kamkar’s infrared laser bouncing off that shiny Apple logo.

When it came to recording sounds inside a room, Kamkar was in some cases able to pick up music clearly, as in the first two samples below—though he found that double-paned glass produced far more muffled results, which you can hear in the third audio sample.

Neither of Kamkar’s two laser-spying techniques are entirely new concepts: Both the keystroke-surveillance technique and the laser-based audio eavesdropping trick are essentially his own versions of a tool known as a laser microphone, a decades-old invention that bounces a laser off a surface and measures the reflected light to detect the target’s vibrations—such as those caused by either key presses on a laptop’s keyboard or someone’s nearby voice.

For both of his laser-based techniques, however, Kamkar used his own engineering tricks and a few thousand dollars in hardware to significantly advance the fidelity of his optical eavesdropping. To reduce the noise created by ambient light when attempting to detect vibrations in his reflected infrared laser, for instance, he designed his laser microphone system to strobe on and off 400,000 times per second, picking up the reflected light through a lens so that the light hits a photo diode—or doesn’t—depending on the target’s vibrations. By using that 400-kilohertz frequency and measuring variances in the signal’s amplitude just as an amplitude-modulated, or AM, radio does, Kamkar was able to later filter out everything other than that frequency to vastly reduce noise. He then amplified that signal and used a piece of hardware known as an upconverter to shift that AM radio signal to a higher frequency, so that it could be fed it into a software-defined radio—a digital, programmable radio capable of handling a far larger range of frequencies than a typical radio—to analyze it.

“I think I’ve created the first laser microphone that’s actually modulated in the radio frequency domain,” Kamkar says. “Once I have a radio signal, I can treat it like radio, and I can take advantage of all the tools that exist for radio communication.” In other words, Kamkar converted sound into light into radio—and then back again into sound.

Samy Kamkar at his home workstation.Photograph: Roger Kisby

For his keystroke detection technique, Kamkar then fed the output of his laser microphone into an audio program called iZotopeRX to further remove noise and then an open source piece of software called Keytap3 that can convert the sound of keystrokes into legible text. In fact, security researchers have demonstrated for years that keystroke audio, recorded from a nearby microphone, can be analyzed and deciphered into the text that a surveillance target is typing by distinguishing tiny acoustic differences in various keys. One group of researchers has shown that relatively precise text can even be derived from the sounds of keystrokes recorded over a Zoom call.

Kamkar, however, was more interested in the 2009 Defcon demonstration in which security researchers Andrea Barisani and Daniele Bianco showed that they could use a simple laser microphone to roughly detect words typed on a keyboard, a trick that would allow long-distance line-of-sight spying. In that demo, the two Italian hackers only got as far as testing out their laser spying technique across the room from a laptop and generating a list of possible word pairs that matched the vibration signature they recorded.

Speaking to WIRED, Barisani says their experiment was only a “quick and dirty” proof of concept compared to Kamkar’s more polished prototype. “Samy is brilliant, and there was a lot of room for improvement,” Barisani says. “I’m 100 percent sure that he was able to improve our attack both in the hardware setup and the signal processing.”

Kamkar’s laser spying kit: An infrared laser…Photograph: Roger Kisby

…attached to an oscilloscope’s signal generator, current controller, temperature controller, and amplifier power supply.Photograph: Roger Kisby

Kamkar’s results do appear to be dramatically better: Some samples of text he recovered from typing with his laser mic setup and shared with WIRED were almost entirely legible, with only a missed letter every word or two; others showed somewhat spottier results. Kamkar’s laser microphone worked well enough for detecting keystrokes, in fact, that he also tested using it to record audio in a room more generally, by bouncing his infrared laser off a window. It produced remarkably clear sound, noticeably better than other samples of laser microphone audio released online—at least among those recorded stealthily from a window’s vibrations.

Of course, given that laser microphones have existed for decades, Kamkar admits he doesn’t know what advancements the technology may have made in commercial implementations available to governments or law enforcement, not to mention even more secret, custom-built technologies potentially created or used by intelligence agencies. “I would assume they’re doing this or something like it,” Kamkar says.

Unlike the creators of those professional spy tools, though, Kamkar is publishing the full schematics of his DIY laser microphone spy kit. “Ideally, I want the public to know everything that intelligence agencies are doing, and the next thing, too," Kamkar says. “If you don’t know something is possible, you’re probably not going to protect against it.”

Even knowing that Kamkar’s silent, invisible, long-distance laser spy trick exists, how does anyone hide their secrets from it? He suggests that companies install double-paned or reflective glass. Some security device companies also sell protection devices that affix to windows and vibrate them to prevent laser microphone spying, and Kamkar concedes he hasn’t tested his attack against those. But he also suggests a safer countermeasure: “Don’t work on computers visible from a window,” he says. “Or just have dirty windows.”

Kamkar admits that beyond any idea of enabling or defeating surveillance, he was driven to develop his laser spying tricks mostly to test what was possible in the realm of physics-based hacking. More than a warning about any particular spy trick, he hopes his Defcon talk will inspire the conference’s hacker audience to think more broadly about how information resonates through the real world in unexpected and exploitable ways, defying any simple model of computer security.

“You hit a key, it produces a sound that emanates in all directions. All the light hitting the laptop also vibrates at that frequency. The key then closes a circuit on the keyboard that generates electromagnetism and emits radio frequency in all directions,” Kamkar says. “The physical world screams secrets, and we have the ability to listen.” And if you don’t, whoever’s watching outside your window just might.

Wired: Latest News

Inside the Massive Crime Industry That’s Hacking Billion-Dollar Companies