 Hello, Defconn! How is it going? Good. So, I'm Andrea Barizani. He's Daniele Bianco. We got weird names because we're Italian, so... We mispronounced our names even when we're talking in English, so don't worry. You don't have to know how to spell them. So, we're going to talk about sniffing keystrokes with lasers and volmeters, which is, we think it's a very fun topic. How many of you have seen our talk from two years ago about GPS navigation? Raise your hand. Okay, so do you remember the video that was in there? Okay, so there's going to be a second episode of that. For everyone else, we do a cheesy Italian drama movie every time we do a presentation to announce it. So, at some point in this presentation, we ruin our reputation by showing you that video. So, it will be fun, I promise. So, if you get bored, don't worry. There's going to be that video in the middle. So, yeah, we're new, you know, this is what we did two years ago, putting stuff like that on GPS, you know, terrorist incident, bullfight, which was a favorite for most people. We don't know why, we think it's perfectly normal, you know. So, first of all, disclaimer, we play with electronic stuff, circuits. We are two idiots, so don't really do that at home. You can get electrocuted, which is not fun, okay? So, safety first. Now, having said that, we're going to show you two unconventional attacks. Attack number one, power line leakage detection against wire PS2 keyboards. And attack number two, optical sampling of mechanical energy against laptop keyboards. So, fancy titles for really cool things. So, why bother? So, I have a project called the open source computer emergency response team. So, we deal with software every day, and we're bored by software. And hardware hacking is good fun. If you haven't done hardware hacking in your life, you should really do it. Because if we can do it, everyone can do it. Trust me on that. We're going to show some unconventional side-channel attacks. Side-channel attacks are good. We use relatively cheap hardware, so we're not going to show you something that, you know, takes $10,000 for doing it. Freaking laser beams! Come on, guys! Laser beams are the best. Next thing, you know, next robots. We'll work on that for next year, and then we can have robots with lasers, and we'll be great. And as always, more important, girls will melt when you show this. This is a very important message. Every time we do our research, we want to demonstrate that you can get laid by using our techniques. You know? If you have that, you know, remote exploit, whatever, what does it matter if you cannot get laid? That's, you know, that's the driving force, because we're not, you know, socially inept. Hackers are good socially wise. So, you know, this is very important, and we will prove that with the video, okay? Keep that in mind. Okay, so we're going to talk about Tempest. So what is Tempest? Tempest is not an acronym, but, you know, you can use it as such. Transmitted electromagnetic poles, energy standards are testing. Or tiny electromagnetic particles, emitting secret things. Or the emissions might produce extremely sweet talks, like this one. It concerns the investigation and studies of compromising emanations or fortuitous leakage. Okay? The term was coined by the FEDs in the 60s and 70s as a code name for the NSA operation for secure electronic communications. So the FEDs in the room probably know everything about that. Now, there's lots of public research relevant to attack number one. Tempest has been previously covered in research concerning LCD and CRT displays mostly. So reading your monitor from a distance, okay? There's also a research about compromising radiation emanations of wired keyboards from some Swiss guys, which are great. I think we all think they're doing a great paper. It is yet to be released, but it is related to our talk. We work independently at the same time on it. So the theory of the first attack. The keyboard PS2 cable has the following wires. The data wire, the ground wire, the voltage, and the clock. And pin two asyncs are unused. So what do we think is going to happen? The wires are very close to each other, and they're poorly shielded. There is a fortuitous leak of information going from the data wire to the ground wire. The ground wire is routed to the main power cable, which is connected to the power socket and then the electric grid. So in your PC, the ground wire is shared. If you have a ground wire anywhere in any component, it is shared with the main power adapter, and that goes directly into the power socket and then into the electric grid. So we think that the information about the keystroke slicks to the electric grid. It can be detected on the power outlet, including nearby ones, sharing the same electric line. And the clock frequency of PS2 signal is lower than any other component or signal emulator from the PC, because we're talking about the kilohertz. And everything else is above the megahertz. So that's a very important factor, and you will see why. We want to isolate the leakage by filtering out the signal from the noise, and this leads to profit, right? Which is all we want. Now, so again, there is some documentation which suggests the possibility of doing some kind of attacks using the ground wire, but no definite paper or very good explanation. And again, as I said, the Swiss guys, they say that the sharing ground may act as an antenna and significantly improve the range of their attack, which is done over the air. So at the same time, both groups are working on the same thing, which is good, because that's a confirmation that what we're doing is not completely crazy. So this is PS2 signal. So data is transmitted one bit at a time, and each part is sending a frame consisting of 11 or 12 bits. In our case, it's 11 bits. So it's very simple, and it has a clock frequency range, which is between 10 and 16.7 kilohertz. So we want to see this very nice square wave here with the 1 and 0s and the bits, okay? That's a letter B. So this is what we do, and now maybe you can make yourself useful, okay? Thanks. Yeah, this is our sniffing diagram. It's pretty simple. The only thing that could appear a little bit weird here is that the fact that we have two different grounds, but yeah, it makes sense because since we want to measure the current leakage on the ground line, we need a clean reference ground. And, yeah, Andrea, we will show you how it's possible to get a clean reference ground in a building. So I just want to say this, that when you show this kind of diagram to an electrician, shut up, fucking. An electrician would likely say, hey, what the fuck is that? Why do we have two grounds? But what I like to say is that it's like going to a locksmith and asking for bump keys. They would say, hey, why do we want that for it, okay? When you do hacking, you will make things that look very, very weird for people in the business, okay? But the evilness that comes out is very good for us. So yeah, the thing that we have to do is to put a probe resistor. This diagram is 150 ohms, but yeah. And we put the ends of the probe resistors into an ADC or something that is able to convert the analog signal in, something that you can parse, store and whatever. So yeah, in our test, we used a digital oscilloscope as an ADC. And as I said, we wrote the ground of an NERB power socket to our ADC. And we measured the differential of potential in order to get a measure of dispersed current into the ground life. Yeah, what's about the clean reference ground? That's enough talking for you. Yeah. Get back there. So we need a reference ground, okay? Something which is very clean. So what is clean? Wait, wait a second. So this is the evil power cable, okay? Which is not evil because it's a European power plug, which I can understand you might think as evil, okay? But it's evil because, as you can see, we're opening the ground wire and we're attaching our probe, okay? So if you do this, don't touch the blue wire, okay? Don't do it, okay? Because you will end up like him, which is not nice, right? Even the brown guy. Yeah, even the brown. Yeah, okay. So show the evil cable. So this is the evil cable, okay? Yeah, you're touching many times already, right? And this is the clean ground, which is a toilet, okay? So toilet sinks are perfect because you have the tubes there, which are not to be confused with the tubes that runs the internets, okay? And so again, this is very, very classy. And hints for spies, hotel rooms, they all have those, okay? So you can be in your room and you can use that as a clean ground, okay? So the theory is that the tubes there goes down into the earth, okay? So that makes it a good ground, which is not the ground of your electric system, which is the one you need to measure, right? And you need that because otherwise there won't be any voltage potential difference, okay? So this is our, the testing lab we use was actually a nuclear physics laboratory with lots of particle detectors, which means that the ground was extremely noisy. Like, you would expect that, you know, when you do physics, you need precise measurement and everything needs to be very clean, no noise, no emanations. It was hell. Like, there was almost a volt of noise on the ground wire. It was, you know, it was so bad. And so substantially more than a normal scenario. So if you do this in an apartment or an office, you're going to get a much, much cleaner signal, okay? So this is like worst case scenario, okay? So if it works there, you know, it might work everywhere, everywhere else. So this is the original data that you would see, like there's nothing there, you know, it's crap. So what we're going to do, we want to filter the noise and unfortunately for that, we need to pass the mic to Daniela Bianco again. Okay, so yeah, in order to filter the noise, we have to use some kind of filter, of course. Yeah, it was a great concert. Did you prepare that last night? Yeah, it was. Okay, so you can use a finite input response filter. It acts at a band pass filter. And of course we want to select all the frequencies between 1 to 20 kilohertz, because that's the frequency of PS2 clock. So that's the frequency we are looking for. Just, yeah, in our test we noticed that a good sampling rate in order to get good results are between 1 mega-sample per second to 100 kilo-sample per second. And of course you can use whatever you want to perform the filtering stuff, but one possible choice is to use SyLab. It's a scientific software and it's very easy to use. And here you have an example in order to make a finite response, input response filter in that band of frequencies, 1 to 20 kilohertz. Okay, so get back there. So this is an original data taken directly from the keyboard. So just to get an idea on how the filter works. So we can see this is the original data and this is the filter data. You can see some artifacts which are made up by the filter. That's perfectly normal because the filter cannot do miracles. So we want to see something similar to that in our actual results. So again, this is the original signal. Here's what happens. You can see that there's something here. We filter it and we see this nice fella here which kind of looks like what I showed you before. Looks similar to that one on the bottom. And if we analyze that, we see that it's actually a letter A. And now you should all go, oh yeah, it works! You can get results from the ground wire and this was actually snipped on a power socket which was 15 meters from the actual target. Okay, scary, huh? So you can see it's letter A. Different example. So depending on the time of the day, the noise on the ground wire in the laboratory was kind of different because for some reason some time or some machine was going up or whatever. And so this is a different kind of noise that you can see. But again, this is still a letter A and you can make that out. Again, different time of the day, different keyboard actually. And this is letter B. So I could show you letter C, D, E, F, G. But you know, I think you get the point and we want to have slides for the entire alphabet. So it works. And the thing is the nice thing about working with such a low frequency is that considering a typical copper cable coefficient of 0.1 dB of attenuation, it means that after 60 meters, 50% of the signal survives. And the equipment we use isn't really the highest hand you can really get. And we did this in like, what, six weekends or something? And we're basically two idiots. It's more idiot than me, but anyway. And so think about what a government agency can do with dedication for these kind of projects. And we didn't notice any significant difference between the signal at 1.5 meter and 15 meter. There was no relevant difference between them. And keep in mind that a typical signal has an output power of one nanowatt. That's the typical output that you would get. So it's tiny. It's very weak, but it's good enough to be detected. For a comparison, it is not a fair comparison because there are other factors involved. But if you think about it, the GPS signal that you get is the order of, it's less than a picawatt. So this is free order of magnitude stronger than the signal you get from a GPS. But of course, the current as a factor in there, but just to give you an idea. So what we want to do, we had our oscilloscope and stuff. The oscilloscope costs a lot, but of course you can use them for this kind of research. But we want to do continuous sniffing which is very, very simple than that. So what we use, we use a microcontroller with an ADC, a built-in ADC in it. So we said that one mega-sample per second is a sufficient rate for the analysis. So what we use, we use the ATX mega from AVR microcontroller, which has an ADC, which has a 12-bit resolution and has actually two mega-sample per second. So we just need one, but it has two mega-sample per second. So what we want to do, we want to get the data coming down the microcontroller. Then the microcontroller has an SPI interface. And then we want to convert that to Ethernet. And for $149.99, we can get our own device. So actually the chip costs like $1 if you get a thousand of them. But hey, you can just email them and ask them, can you give me a free sample? Yeah, sure, we'll give you a free sample. We have no idea what you're going to do. And here we are at Defconn, which is awesome. So again, talk about this slide. Yeah, the microcontroller is pretty easy to use. Of course, we have to connect our ADC of the microcontroller to SRAM buffer in order to bufferize our data. It's better if we use a DMA channel for that because we allow the CPU to perform some other task while it's copying the data from the ADC. Finally, we put our data to the SPI interface in order to be able to use an SPI to Ethernet converter. Very useful in order to put data to the final PC. Ethernet, not Ethernet. What the fuck is Ethernet, you Italian? Sorry about that. So you can see that the converter is as big as the actual RJ45 socket, which is awesome. The chip is very tiny. This is a European coin, so that's an evil coin for you. I think with the current exchange rate, that's like $1,000. That's not coin. Sorry, sorry. I love the states. I didn't want to. Sorry for that. Just thought it was fun. So if you're really evil, you can build this in a very nice and lean form factor and then you can hide the device whatever you want. You can use it also as you have Ethernet. You can also attach a small wireless thing and then you can have your data stream to you, which is very nice. So the SPI to Ethernet converter, there's lots of them. There are crappy ones and better ones. Basically what you can do, you can program them if you want, but there are some of them which opens a port for you so you can connect with Ethernet on it and it will stream back the SPI data to you, which I think is kind of handy. Or if you want, the converter can be the client and you are the server, so it will stream the data. It will try to connect to you and it will stream the data back to you, which is really great. This is the programming board. So it's not for the real deployment. It's something that you use for programming the chip and testing it. We got the evil power cable there again and this is the actual converter. So this is actually the full setup and as you can see the power adapter is bigger than the whole thing but you can fix that. So let me show you. So what we do, we stream the data back to a PC and then there are many programs you can do but basically this is like a crappy Java application that allows you to see a text file in real time. So basically what you build by doing this thing is a very cheap oscilloscope which is a very tiny form factor. You can connect it to Ethernet. It costs nothing and it is good for our purposes. Sorry for the silence. So depending on the sensitivity of the equipment, Kistros can be probed from the nearby room or even far or even in the basement. Of course you can always tamper the power outlet itself. You will get a very, very good signal there but if you can do that you can also hide a webcam in the floor so it doesn't really matter. So appealing alternate targets rather than your PC or ATM machines because we know that at least in Italy some ATM machines, they use a PS2 keypad. So what you can do, you are in your shop nearby and use the device and you can get all the pins which is also nice because the pin you can know it's only going to be digits. So the amount of matching and processing that you need to do for getting the Kistros, it doesn't cover the entire ASCII table so it's going to be lower than that. So we analyze PS2 of course but any kind of serial protocol that uses a low frequency is going to be affected by this kind of autography. In a virtual we cannot be certain for every protocol but the theory is there and it's sound and we are confident that the more expensive equipment can lead to much more precise measurements. The important point to understand is that the data is there. It leaks out. So it's a good playground for all of you hackers. This shouldn't work against USB keyboards because USB uses differential signaling which theoretically doesn't do any useful noise but there are still possibilities because the actual microcontroller on the USB keyboard it does much more work than a normal PS2 keyboard. So there are some chances for power draining and stuff so we want to test that and we will do that in the near future. There might be other factors responsible in minor part for the interference so it might be some other factors but it's difficult to pinpoint them. But we think that the big factor is the fact that the grounds are very close to each other as we said before and we look forward to see the toss from the Swiss guys, the paper from them because we think it would be awesome. What? The Swiss are great except you Rafiq. So, workarounds. Of course you can look like a dork but who would want to use Teamful for... Oh man, dude! Is this Prada? New collection? But anyway, as there's no electric activity in your brain what do you Teamful it for? You know? Asshole. Anyway, so... So yeah, you would look like a dork. Sorry for that guy. Maybe he's here. But see the power cable here is not shielded so that's an epic fail. Anyway, so attack number two and the video is coming right now so don't leave. Attack number two. So the thing is this doesn't work with laptops which is a shame so we need something else. So we know that previous research addressed keystroke acoustic so by listening to the sound of your keystrokes and by evaluating the timing you do a statistical attack and you can understand what's going on. So we know that laser microphones can be used for monitoring sounds at a great distance but here's the idea. Why not point in the laser microphone at the laptop itself instead of the window and sample the mechanical vibrations from the laptop? Profit! Again, profit. It all leads to profit which leads to girls. So this is the moment you'll be waiting for because I know you don't give a shit about our research you just want to see the video you just want to get laid. So we got to do a summary for the people that didn't see the talk. Oh god, I forgot to change that slide. Shame on me. Only one slide I had to change. Sorry for that. Anyway, so the evil hacker and the failed porn star. Guess who's who, right? Sorry, this is an ongoing battle for the viewers. So the porn star was driving with a girl. We don't know why. At some point the hacker sent a fake traffic message information and we deterred the porn star. He was amazed by what happened and the evil hacker turned out with the portable device. That's very portable. The porn star realized that his skills in navigation and driving failed so it was desperate. That's the face of epic fail. And we will totally upload that to Wikipedia. The girl was amused, of course. She is the return of investment profit. So let's see what happens in episode number 2. Be very, very, very afraid. I think that now she loves me. Yes. She really loves me. I need to perform. I need to satisfy her. What do you think, dear diary? Is Viagra the answer? Yes. I better reply to one of those many mails I get every day about it. Tonight. Yes. Everything is so lame. So doomed. Who is it? Viagra. So soon? You again? Yes. I'm the evil hacker and I know that you need Viagra. I know your diary. That's impossible. I was even connected to the internet but I used laser beams. Laser beams to sniff your key strokes remotely. I posted it on a group on Facebook and everyone's secret. My secret. My secret is out. Tony here. He needs Viagra for satisfying you. You were using Viagra? Yes. But while he took the blue pill, I took the red pill along. How did you hack into his computer? Using laser beams. One, two, three. It works! Disclaimer, your experience may differ. So if it doesn't work for you, don't email me. Email him. Anyway. Now you have the proof that it works. I'm not sure what we're going to do next year. It's tough to beat this one. Maybe a clickhanger would do. Laser microphone assembly. One laser. One photoresist or photo dial. Sorry, one freaking laser! A battery and universal power. Adapter, a jack cable, a laptop with sound card, a tripod and a focusing lens. $79.99 excluding the laptop. Okay? An optional and amplifier optical band pass filter and some duct tape. Okay? So we use a class 3R laser which is a crappy one. It costs $20, $30. It's slightly better than your average laser pointer. The only advantage is that you actually hook it to the battery and it's always on. So you don't need to press the laser because when you're sampling vibration you know pressing the laser is going to be bad. Okay? So that works better. The more money you throw at a laser the better it's going to be the range. Okay? Do you want to talk? No? You're ashamed of yourself? Okay. So you can use different photo diodes as for the detector part. Do photo diodes work better than photo resistors? Okay. So these are some models that you can look up. They're very cheap. They cost like $0.50 so it's really nothing. So this is a diagram of what happens. This is not different from a normal laser microphone. Okay? The one that you see in spy movies. The only difference is that we're pointing at a laptop and not at a window. Okay? So what happens is you have the transmission part which is this fellow here. So we're pointing to a reflective surface on the laptop. You get the reflection back on the detector here. Okay? Which is powered by a battery. Okay? You use a resistor for actually tuning the thing. I'll explain that later. Okay? And then you use an audio jack and you input that into your laptop. Okay? So you use your sound car as a small ADC and it's good enough. So this is the actual device. The talk is done. You can show you all the hardware if you want. We'll be happy to do it. Okay? I don't know. That's very dark. So what happens when you get the reflection back you can get two free four dots. You won't get just one red dot. Okay? Because depending on the surface you're projecting the beam to and depending if you have glass in the way you might have a dispersion pattern. So you just need to chase the one which is the strongest one not even that one. Some cases you need to find the weakest one and it all works. So in order to test the device you can first try it with audio. If it's a good audio laser microphone then it will be good enough for sniffing the keystrokes. And keep in mind that without any hard core tuning we have good results within 30 meters with our crappy laser. And longer distances requires precise calibration and filtering. Okay? Because what happens is basically depending on your setup it is very easy to saturate the detector. Okay? Which is a good thing because it means that if you put some filters or if it's daylight you can actually distinguish the laser from the ambient noise. Okay? From the ambient light noise. Okay? But the longer you know the range the better the tuning needs to be. The parallel is just when you put microphone and you want to hear something you need to do some tuning but the data is there and you can do it. Of course if you buy a very expensive laser which is like a $400 laser then it will be powerful enough and it will be good for you. Just to give you an idea of how the audio from a laser microphone works this is a non-equise example which was taken just by connecting the things together pointing to the windows having someone said something. Okay? Nothing special. So I just said this is a test with our laser microphone. Were you able to make that out? No? Fail. Let me tune the volume up. Okay? That's without any tuning at all. Okay? So it's good enough for distinguishing the words and without any amplification at all. Okay? So, where do we aim this thing? So we aim directly at the laptop case generally display lead. Okay? Aiming at the top of the lead. Can you make yourself useful? We got to show this thing, man. Okay? So aiming here produces more resonant waves. Okay? So if you aim at the center or the bottom it's going to be better. Okay? So these are some simple keystrokes. Okay? This thing here which is stronger than anything else it's the spacebar because luckily for us the spacebar is a very different key on your keyboard and we can distinguish that. Which means we can distinguish the different words which is very, very important for this statistical attack. And of course there are the letters here, okay? So one first thing that you can immediately tell is that you can assess the timing of the keystrokes. Which means that all the previous research that has been done on the timing of the keystrokes applies here. It's just that we extend the range. Which is kind of a cool thing. This is sample from a different keyboard. Of course, different keyboards they will produce totally different results from a graphical point of view. But the concept is always the same. As you can see the spacebar here is even much more detectable. And of course we have the different keys there. Just to, you know, this is not really helpful, but just to give you an idea of what happens if you convert those to sound. But remember, those are not sounds. It's not a normal laser microphone. It's not any kind of vibration which are now turning to sound just for your benefit. This is slowed down by the way. You see the thumbs? Those are the different keys being pressed. So those are the signals we need to distinguish. But it's not audio. It was audio because I decided to play it on the speakers, but it's really not. So we can play with a fortune, okay? So we have different keys here. And we can say, oh well, it looks like this guy which kind of looks like this guy and so on. So you can assign different groups to the keys, okay? But as we don't want to do it visually, because it might take some time, we can use a technique which is called dynamic time warping for doing this kind of analysis. So it's an old-fashioned technique actually which is used in speech recognition. It's used for detecting if you're saying a word fast it is able to tell you, okay, those words are going to be the same. There are more modern techniques like hidden Markov models that should work even better. So what happens here, this is an example. There's a straight line here. This is a comparison between two signals that are exactly the same. So this is the shortest path from A to B. So what happens with the other signals, you can see that the line is not straight. So the longer the line, it should be the score for that specific signal. The shorter the line, the best results you're going to get. So it means that the two characters are actually, you know, more similar. So what we do, we did some testing. We said, okay, you have characters number one compared to number two, then to number three, to number four, and so on, and so on. And so what happens, we get a scale of results. And whatever ends up here, it means that it's more likely, these pairs are more likely to be the same. So here we're comparing pairs of keystrokes, okay? And this obviously, they do not match at all. So what happens is that eventually, you will end with a pattern like this one. So like one, okay, the first key is just like the last one on the first war, which is the same as the first one as the last one of the second word. The second key, I have no idea. The third and the fourth key are completely different from anything else. And then we have, again, recurring groups, okay? And we can tell that they're separate words because remember the space bar can be easily detected. So what you can do with this pattern, you can put a pattern into a sample application, a small application that does, you know, matching against the dictionary and analysis against that. So what happens if we put this kind of data? So we get the first entry is hogwash hash, which have no idea what it means. So, you know, it doesn't matter. Ceremon sense, I don't know. It's not likely to me. Secret sets, maybe, maybe. Ceremon sense, I don't know. Sockets, sets, meh, meh. Soviet sets, Cold War. We're sniffing a spy. That's great. Statue sues, well, everything sues in America, but a statue suing, that's not very likely. Straight sits, not really. Subway says, they don't generally talk that much. Tempest test, oh my God, maybe Tempest test. So here you can see the importance of the context. If you know the context of your victim, if you know that it's a diplomat, rather than your ex-wife, rather than a sports player, rather than, you know, whatever, then it helps you a lot in narrowing down the results. Then we have tidiest test, maybe in tidiest test, and try to intend your right. So we got 12 results, and there's one very important thing to say here. When you're done with just two words being typed, there's no previous knowledge about the typing. So if you add just an article in front of Tempest test, if you add the Tempest test, then you narrow down to two options, one which doesn't make sense, and one which makes sense. If you have a page of data, you can narrow it down just to one possibility. And the cool thing about this is that if you type a page and then you type a password, and then you type a page, it doesn't make any difference because you can reuse the results. The order of things doesn't matter. I can reuse knowledge, you know, and then apply it to the password. And we might be that we don't get your entire password, of course, but all of you know the importance of narrowing down the options when cracking a password, okay? If you can just know 304 digits out of it, then, you know, it's going to help a lot. Of course, one very important thing, you need to know the language that it has been typed, because if it's in English or Italian or Japanese, it's going to be, you know, completely different, okay? And non-word, yeah, again, yeah, it's good for passwords as well. So attack scenarios, we try different laptops. This is an ASUS EEPC, which has a very, very nice reflective plastic case so you can point wherever you want, and this laptop is pwned, basically. IBM Lenovo Thinkpad, so what you can do on the Lenovo, you can either, let me show you that, put your hand for the reflection. You see the reflection on his finger? Yeah? Okay, so the logo is good, and this here, the antenna, the wireless antenna, is all reflective case, so that works too, and it works pretty well. And now, we always thought that glossy was evil. So Apple, when you decided to do the glossy screen, yeah, you're owned, okay? So, you can be behind your target, and the screen is perfect, in front of the target, the case is not good, but the actual shiny Apple, the white shiny Apple is very reflective, so okay, way to go. So obviously, a line of sight is needed, either in front or above the target, but the cool thing is that the transmission and the receiver can be a completely different location, okay? So suppose you want to sniff on, I don't know, an office building, and the guy is on, you know, the 25th floor, okay, with a laptop lid, you know, with this angle. So you point your laser, you know, maybe straight at the same floor on a nearby building, and the reflection will go back down on the ground, and your receiver can be on the ground, okay? The more money you throw at the equipment, the longer the range, okay, especially at the laser. But, and also the cool thing, so we tried this only with one laser microphone, but you can point four of them at different locations, and you can combine the results and it's going to work. You can also use different kind of laser microphones, like one that uses interferometry. So this laser microphone here uses the actual movement of the laser, okay, for something, the evaporation, but you can also use something that detects the actual shift in the frequency, okay? So you can combine all of them, you can actually really combine the data, and as long as you don't have disruptive interference, which is not very likely if they're all of the same type, interferometry in it, it might be, but, you know, there's a good chance that it's never going to happen. So you can combine the data, and you can have even more refined results, because what you need, so you're not making an absolute comparison, you need a relative comparison between the different patterns that you have, because you want to say letter A, sorry, that letter is different from that one, okay? You don't say that is letter A directly. Stop pointing laser at me. I'm not a keyboard. Okay, so I was saying, so yeah, it's a relative match, so you can combine the signals. So, okay, so an attack is possible even with a possibly double glass, because if you have a window in the way, a glass in the way, you lose only 4% at every pass, okay? And of course now, you can say, hey, if I see a red dot on my face or on my laptop, then now that I've seen this stock, I don't know what's going on, but you can use an infrared laser. So unless you're wearing infrared goggles at work, you know, you're not going to detect that, and I don't think it's very classy to work on a laptop with infrared goggles. So, you know, you can use that. Of course, you can change your position, your typing position very radically, but again, it's not very comfortable. Miss typing can be compensated with the way that every spell checker does. And again, you can use previous research against acoustic emanations. You know, it can be applied here. We know it might be hard to get a line of sight, but you're an awesome social engineer, so social engineer, you're a victim. You know, hey, go on the balcony, whatever, and then you can do this kind of attack. So thank you very much for listening. We hope you enjoy the talk, and we can take... Thank you! Can we get one or two questions? Do we have time for questions? Do we have time for two questions? Yes. With some awesome targeting skills. If it's a foggy day, then it's good, but otherwise, yeah, you need to be very precise, but if you use very stable tripods, it's actually easy to do. We did it, and it worked. Yes. With the ground, yeah. So the PS2 frequency is actually a range, which means that you're not going to find very easily two keyboards, which means at exactly the same frequency. So you can distinguish the two. Any other questions? So we're going to the QA room. If you want to see the stuff and you want to ask more questions, thank you very much. See you next year.