July 1st, 2008
About that cellular interference...
So… maybe it is a real problem. Pedram Amini (top picture on the right), noted researcher and reverse engineer, posted an article to the Tipping Point DVLabs blog on some interesting observations he made on cellular interference. From the article, Pedram comments on the discovery:
“I had placed my iPhone on the laptop just below the keyboard and was using an external keyboard and mouse 
(from my new laptop over Synergy, which is fantastic software by the way). At some point my layer background color starting changing, the rulers appeared and disappeared, various nav items opened or closed, etc… The laptop is old and buggy so I thought nothing of it at first, then I wondered if it was my iPhone. I theorized that perhaps the iPhone was causing interference that was resulting in key strokes that mapped to hotkeys for manipulating my canvas and UI. A few quick tests confirmed the accuracy of this assumption, my interest peaked and I immediately called over the rest of the team to revel in this accidental discovery.”
Pedram and fellow researcher Cody Pierce (bottom picture on the right) posted the following video to illustrate what they were seeing.
Pedram describes what you’re seeing in the video:
A few seconds into the video, Cody starts to make a call to my cell from his. At about the 10 second marker you’ll see a flurry of characters spew across the screen. You may notice what appears to be a pencil tracing around the iPhone. We quickly realized that moving the phone too far off a specific spot failed to produce any key strokes. At this point we had three primary questions in mind:
- What is under that part of the keyboard that is being interfered with?
- Can we reliably generate arbitrary key strokes of our choosing?
- Solving [1] and [2], could we build a focused radio transmitter “gun” of sorts to transmit arbitrary keys to a target laptop from a distance? (huge grin on face)
The two researchers deconstruct Pedram’s laptop and discover that it is likely interference is directly interacting with the keyboard ribbon, causing the keystrokes to be pushed. After a good chunk of research, the two decide that what they really need to do is purchase a Universal Software Radio Peripheral (USRP) radio transceiver which they could interact with through custom created code via the GNU Radio project. Pedram states that the researchers determined the cost for the ideal platform to conduct the research to be somewhere in the $2,000 to $3,000 range.
Unfortunately, the two researchers were unable to get approval for that much budget for a project that, while immensely cool and interesting, simply has limited business use for their company. Due to this, Pedram and Cody passed the research off for public consumption, hoping that someone else can pick up where they left off. Pedram states:
“Our hopes and dreams shattered, we scrapped the project for a few weeks and have now resurrected it for public consumption. I recall being a CS student at Tulane university with lots of time and motivation and few solid project ideas. Today I have zillions of ideas and not enough hours in the day to accomplish them. Perhaps someone out there looking for a project idea can push this along… Write us if you do, we’d love to hear about it.”
Honestly, I think this would be a great University project, as I’m sure the government would be interested in seeing this technology work. I wish I had time and $2,000 to $3,000 of my own money to spare, cause this just sounds like a lot of fun. I fully anticipate somebody jumping on this and seeing this as a future ToorCon, DEFCON, or Shmoo talk. I fully expect to see a grandiose ray-gun looking device created that can push key strokes in the near future… pretty interesting stuff.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
