Paraphrased from original notes and documentation, original project
completed Feb 2005
Client permission for the following to be disclosed was formally
granted with the conditions that certain omissions be made. They have
reviewed this version and have approved its release in the hopes that
it helps other protect their secrets.
Test performed after midnight to take advantage of less RF activity,
clear bitterly cold winter night, sub zero temps, totally clear
skies. Note that the external antenna was roof mounted roughly 10+
feet off the ground,, and was exposed to the elements through a very
thin, covert radome. All parking lot lights turn off during test, all
sodium lights off, dimmer switches off, band in question was dead
quiet with no interference. Equipment tested in place initially by
walking away from the receiver with the keyboard/transmitter while
the receiver remained fixed.
Config A, all stock equipment as found. Offender was an unmodified 8
channel Gyration keyboard and mouse, desktop receiver antenna, exec
was using the keyboard only a few feet away. Power measured directly
off the power amplifier of the keyboard, pre antenna on the PCB (post
experiment with new batteries) at -13.77 dBm (yes, microWatts), range
with given Gyration receiver with fold down right angle whip was
about 75 feet straight line though a single painted screw stud sheet
rock wall for 100% coverage. Through a cinder block (hollow with no
rebar, fiberglass insulated sheetrock on one side, latex painted
cinder on other) the signal was clear (zero errors) with factory
provided antenna and receiver at 30 feet as per factory spec (access
beyond this range was not physically possible for this angle). Though
the uncoated, non-filmed double paned window glass the range was
closer to 50 feet from the glass after which the signal was lost with
a hand carried Gyration keyboard (original receiver remained on execs
desk). Desktop used was an HP tower located under the executive desk,
but really played no part in the mystery, and which did not cause EMI issues.
From outside the executives window his LCD monitor could be clearly
read with the naked eye, and his computer could be controlled by
wireless mouse and keyboard from directly outside the office.
Distance from the executives Gyration receiver to the window and
bushes was less then 8 feet, at 50 feet from window (roughly 60 ft
from receiver) signal began to drop off on the stock Gyration
receiver, and the error rate hit roughly 50% at 100 feet outside the
building with the stock receiver. Beyond 100 feet signal/data loss
was 100% with the stock equipment.
At the time of config A tests the FSL was estimated to be 50 dB at 500 feet
Test message involved type the standard "Quick Brown Fox..."
sequence, stepping back two paces (about 5 feet), and repeating.
Advertised range of "30 feet" is generous, and a more realistic range
line of site should be "50 to 75 feet depending on conditions".
Keyboard operator did not let his body come between the transmitter
and receiver. Operator, keyboard, and receiver restored to original
position inside office.
The second stage of the experiment: Purpose, to demonstrate that the
Gyration keyboards present a reasonable risk to well outside of their
functional range of 30 to 50 feet. For the final test , use
configurations is in line with that used by "KeyDrivers", or hackers
who focus on driving or walking up to a building that has wireless
keyboards and exploiting the system via a parked car at the periphery
of the parking lot.
Configuration B used for the wireless keyboard test was an Icom R-75
receiver (internal pre-amp off), a roof mounted ARA active 24" loop
antenna (internal 22 dB LNA, below .3 dB NF, +15 dBm compression
point), 48x48' ground plane (single sheet of steel, copper clad),
hard ground (via nearby parking lot lamp pedestal), and a 80+ dB
bandpass filter (49-50 MHz), followed by another LNA (43 dB, below 1
dB NF, 0 dBm compression point) just before the receiver. All power
to all equipment supplied from battery power, power off for all
equipment other then radio, amps, antenna on at the time. BPF filter
mounted directly to ARA antenna with no cables in between, low loss
double shielded 12 feet cable from BPF to internal LNA and radio. All
antenna, amps, and filters in recent calibrations, and then confirmed
to be operational immediatly prior to test. Icom was confirmed to be
operational by monitoring weak Martime HF signals, but it was in no
way calibrated, nor was there any capacity to perform a calibration.
This extended the range to well over 300 feet, but fidelity rate was
still over 90% at 300 feet. Distance was measured with a surveyors
tape. CR-282 time base in R-75, plus 2.8 kHz IF filter. Also repeated
with an 90 Hz Software Define rrdio, but with much higher
sensitivity, and better clarity.
Configuration C, same as above except a tuned Fairchild Dipole was
used (4 feet each size fixed, with a 18 inch adjustable element, 9
foot 5 inches overall), and was aligned to the transmitter for
optimal signal (polarization match, and antenna brought to
resonance). Pyramidal foam mat placed under antenna to limit
reflections. Also, a 30 foot cable was used instead of the 12 foot
but with the same cable type and connector, and the antenna was
mounted on a 12 foot non-metallic stand (6 foot fiberglass tripod
with sandbags) plus 6 foot non metallic shaft. This was tested at
300, 450, 600, 750, and 1000 feet from the executives office as
measured with a surveyors tape. Zero data loss unless the distance
was over 750 feet, but fragments were picked up beyond 750 feet.
Configuration D, Vehicle, sedan mounted tuned whip antenna with base
loading, 20 dB low compression amplifier (0 dBm), same bandpass
filter, identical receiver except that antenna and preamp was
removed/bypassed to permit a quality external antenna to be used.
Effective range in this case in sub-optimum conditions confirmed to
be over 300 feet, under optimal conditions range is over 700 to 1000
feet. Under optimal conditions we were able to get a 20% accuracy
rate well in excess of 700 feet of open parking lot and grounds.
Virtually identical results found with later test on other Gyration
systems, and with most HP Wireless Keyboards.
Experiment was performed by myself, supervised by another engineer
from the client company, and by their corporate IT security manager.
Legal restrictions both in letter and intent was closely observed (no
eavesdropping even remotely took place), the entire project was video
taped, photographed, and documented. The next morning everybody who
had a Gyration or HP wireless keyboard found that their keyboard and
mouse had magically disappeared and been replaced with a corded one.
The presentation to management later the next day was "eventful" and
they took action to repair some recent damage that had been caught by
these keyboards.
They are a great product, but do not use them for sensitive matters,
and certainly not when typing out passwords and user names.
-jma
We Hunt Spies, We Stop Espionage, We Kill Bugs, and We Plug Leaks.
James M. Atkinson, President and Sr. Engineer
Granite Island Group
127 Eastern Avenue #291
Gloucester, MA 01930-8008
Phone: (978) 546-3803
Fax: (978) 546-9467
Web: <
http://www.tscm.com/>
http://www.tscm.com/
E-Mail: <mailto:jm..._at_tscm.com>jm..._at_tscm.com
--=====================_35192906==.ALT
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<body>
<br>
Paraphrased from original notes and documentation, original project
completed Feb 2005<br><br>
Client permission for the following to be disclosed was formally granted
with the conditions that certain omissions be made. They have reviewed
this version and have approved its release in the hopes that it helps
other protect their secrets.<br><br>
Test performed after midnight to take advantage of less RF activity,
clear bitterly cold winter night, sub zero temps, totally clear skies.
Note that the external antenna was roof mounted roughly 10+ feet off the
ground,, and was exposed to the elements through a very thin, covert
radome. All parking lot lights turn off during test, all sodium lights
off, dimmer switches off, band in question was dead quiet with no
interference. Equipment tested in place initially by walking away from
the receiver with the keyboard/transmitter while the receiver remained
fixed.<br><br>
Config A, all stock equipment as found. Offender was an unmodified 8
channel Gyration keyboard and mouse, desktop receiver antenna, exec was
using the keyboard only a few feet away. Power measured directly off the
power amplifier of the keyboard, pre antenna on the PCB (post experiment
with new batteries) at -13.77 dBm (yes, microWatts), range with given
Gyration receiver with fold down right angle whip was about 75 feet
straight line though a single painted screw stud sheet rock wall for 100%
coverage. Through a cinder block (hollow with no rebar, fiberglass
insulated sheetrock on one side, latex painted cinder on other) the
signal was clear (zero errors) with factory provided antenna and receiver
at 30 feet as per factory spec (access beyond this range was not
physically possible for this angle). Though the uncoated, non-filmed
double paned window glass the range was closer to 50 feet from the glass
after which the signal was lost with a hand carried Gyration keyboard
(original receiver remained on execs desk). Desktop used was an HP tower
located under the executive desk, but really played no part in the
mystery, and which did not cause EMI issues.<br><br>
From outside the executives window his LCD monitor could be clearly read
with the naked eye, and his computer could be controlled by wireless
mouse and keyboard from directly outside the office. Distance from the
executives Gyration receiver to the window and bushes was less then 8
feet, at 50 feet from window (roughly 60 ft from receiver) signal began
to drop off on the stock Gyration receiver, and the error rate hit
roughly 50% at 100 feet outside the building with the stock receiver.
Beyond 100 feet signal/data loss was 100% with the stock
equipment.<br><br>
At the time of config A tests the FSL was estimated to be 50 dB at 500
feet<br><br>
Test message involved type the standard "Quick Brown Fox..."
sequence, stepping back two paces (about 5 feet), and repeating.
Advertised range of "30 feet" is generous, and a more realistic
range line of site should be "50 to 75 feet depending on
conditions". Keyboard operator did not let his body come between the
transmitter and receiver. Operator, keyboard, and receiver restored to
original position inside office.<br><br>
The second stage of the experiment: Purpose, to demonstrate that the
Gyration keyboards present a reasonable risk to well outside of their
functional range of 30 to 50 feet. For the final test , use
configurations is in line with that used by "KeyDrivers", or
hackers who focus on driving or walking up to a building that has
wireless keyboards and exploiting the system via a parked car at the
periphery of the parking lot.<br><br>
Configuration B used for the wireless keyboard test was an Icom R-75
receiver (internal pre-amp off), a roof mounted ARA active 24" loop
antenna (internal 22 dB LNA, below .3 dB NF, +15 dBm compression point),
48x48' ground plane (single sheet of steel, copper clad), hard ground
(via nearby parking lot lamp pedestal), and a 80+ dB bandpass filter
(49-50 MHz), followed by another LNA (43 dB, below 1 dB NF, 0 dBm
compression point) just before the receiver. All power to all equipment
supplied from battery power, power off for all equipment other then
radio, amps, antenna on at the time. BPF filter mounted directly to ARA
antenna with no cables in between, low loss double shielded 12 feet cable
from BPF to internal LNA and radio. All antenna, amps, and filters in
recent calibrations, and then confirmed to be operational immediatly
prior to test. Icom was confirmed to be operational by monitoring weak
Martime HF signals, but it was in no way calibrated, nor was there any
capacity to perform a calibration. This extended the range to well over
300 feet, but fidelity rate was still over 90% at 300 feet. Distance was
measured with a surveyors tape. CR-282 time base in R-75, plus 2.8 kHz IF
filter. Also repeated with an 90 Hz Software Define rrdio, but with much
higher sensitivity, and better clarity.<br><br>
Configuration C, same as above except a tuned Fairchild Dipole was used
(4 feet each size fixed, with a 18 inch adjustable element, 9 foot 5
inches overall), and was aligned to the transmitter for optimal signal
(polarization match, and antenna brought to resonance). Pyramidal foam
mat placed under antenna to limit reflections. Also, a 30 foot cable was
used instead of the 12 foot but with the same cable type and connector,
and the antenna was mounted on a 12 foot non-metallic stand (6 foot
fiberglass tripod with sandbags) plus 6 foot non metallic shaft. This was
tested at 300, 450, 600, 750, and 1000 feet from the executives office as
measured with a surveyors tape. Zero data loss unless the distance was
over 750 feet, but fragments were picked up beyond 750 feet.<br><br>
Configuration D, Vehicle, sedan mounted tuned whip antenna with base
loading, 20 dB low compression amplifier (0 dBm), same bandpass filter,
identical receiver except that antenna and preamp was removed/bypassed to
permit a quality external antenna to be used. Effective range in this
case in sub-optimum conditions confirmed to be over 300 feet, under
optimal conditions range is over 700 to 1000 feet. Under optimal
conditions we were able to get a 20% accuracy rate well in excess of 700
feet of open parking lot and grounds.<br><br>
Virtually identical results found with later test on other Gyration
systems, and with most HP Wireless Keyboards.<br><br>
Experiment was performed by myself, supervised by another engineer from
the client company, and by their corporate IT security manager. Legal
restrictions both in letter and intent was closely observed (no
eavesdropping even remotely took place), the entire project was video
taped, photographed, and documented. The next morning everybody who had a
Gyration or HP wireless keyboard found that their keyboard and mouse had
magically disappeared and been replaced with a corded one. The
presentation to management later the next day was "eventful"
and they took action to repair some recent damage that had been caught by
these keyboards.<br><br>
They are a great product, but do not use them for sensitive matters, and
certainly not when typing out passwords and user names.<br><br>
-jma<br><br>
<br>
<x-sigsep><p></x-sigsep>
<font size=3D2 color=3D"#FF0000"><i>We Hunt Spies, We Stop Espionage, We Ki=
ll
Bugs, and We Plug Leaks.<br><br>
</i></font><b>James M. Atkinson, President and Sr. Engineer<br>
Granite Island Group<br>
</b>127 Eastern Avenue #291<br>
Gloucester, MA 01930-8008<br>
Phone: (978) 546-3803<br>
Fax: (978) 546-9467<br>
Web: <a href=3D"
http://www.tscm.com/">
http://www.tscm.com/</a><br>
E-Mail: <a href=3D"mailto:jm..._at_tscm.com"><i>jm..._at_tscm.com<br><br>
</a></i></body>
</html>
--=====================_35192906==.ALT--
Received on Sat Mar 02 2024 - 00:57:17 CST