GhostType: The Limits of Using Contactless Electromagnetic Interference to Inject Phantom Keys into Analog Circuits of Keyboards
I Abstract
Keyboards are the primary peripheral input devices for various critical computer application scenarios. This paper performs a security analysis of the keyboard sensing mechanisms and uncovers a new class of vulnerabilities that can be exploited to induce phantom keys---fake keystrokes injected into keyboards' analog circuits in a contactless way using electromagnetic interference (EMI). Besides normal keystrokes, such phantom keys also include keystrokes that cannot be achieved by human operators, such as rapidly injecting over 10,000 keys per minute and injecting hidden keys that do not exist on the physical keyboard. The underlying principles of phantom key injection consist in inducing false voltages on keyboard sensing GPIO pins through EMI coupled onto matrix circuits. We investigate the voltage and timing requirements of injection signals both theoretically and empirically to establish the theory of phantom key injection. To validate the threat of keyboard sensing vulnerabilities, we design GhostType that can cause denial-of-service of the keyboard and inject random keystrokes as well as certain targeted keystrokes of the adversary's choice. We have validated GhostType on 48 of 50 off-the-shelf keyboards/keypads from 20 brands including both membrane/mechanical structures and USB/Bluetooth protocols. Some example consequences of GhostType include completely blocking keyboard operations, crashing and turning off downstream computers, and deleting files on computers. Finally, we glean lessons from our investigations and propose countermeasures including EMI shielding, phantom key detection, and keystroke scanning signal improvement.
II Demos of GhostType
GhostType achieves two types of attack outcomes:
DoS attacks can completely block the sensing of authentic keystrokes and thereby disable user operations.
Keystroke injection can inject random keystrokes to make the computer unresponsive and even crash, or inject certain targeted keystrokes of the attacker’s choice.
We presented three parts of demos with different experiment setups:
Part One: Place the injection antenna directly under the keyboard.
Part Two: Conduct keystroke injection across a table.
Part Three: Conduct keystroke injection at a distance.
Part One: Place the injection antenna directly under the keyboard
We placed the injection antenna directly under the keyboard.
(1) Block the Keyboard (Acer KM41-2K )
(2) Block the Keyboard (Logitech MK275)
(3) Inject Keystrokes at a High APM (Keycool K-9)
(4) Inject Keystrokes at a High APM (Thunderobot KG3089R)
(5) Constantly Force the Computer to Sleep (Acer KM41-2K )
(6) Constantly Force the Computer to Sleep (Logitech MK275)
(7) Close the Unsaved File (Keycool K-9)
(8) Delete the Files (Lenovo MK23)
(9) Turn the Computer Down (Lenovo MK23)
(10) Inject Hidden Keys to Turn the Computer Down (A4TECH FK13P)
Part Two: Conduct keystroke injection across a table
We placed the same injection antenna under a 25mm-thick table and conducted the injection across the table with a Mini-Circuits ZHL-100W-GAN+ power amplifier.
(11) Block the Keyboard (Acer KM41-2K )
(12) Block the Keyboard (Logitech MK275)
(13) Keystroke Injection (Keycool K-9)
(14) Keystroke Injection (Logitech MK275)
(15) Constantly Force the Computer to Sleep (Lenovo MK23 )
(16) Constantly Force the Computer to Sleep (Logitech MK275 )
(17) Turn the Computer Down (Lenovo MK23)
(18) Inject Hidden Keys to Turn the Computer Down (A4TECH FK13P)
(19) Inject Hidden Alphabetical Keys on a Keypad (A4TECH FK13P)
(20) Inject Hidden Keys to Open the File Browser (Lenovo MK23)
Part Three: Conduct keystroke injection at a distance
We employed an Ettus LP0410 PCB directional antenna with a Mini-Circuits ZHL50W-63+ power amplifier and conducted keystroke injection at a distance of up to 1 m.
(21) Inject Keystrokes at a Distance
(22) Force the Computer to Sleep at a Distance
III Evaluation on 50 Off-the-Shelf Keyboards
We evaluated GhostType on 50 off-the-shelf keyboards and keypads from 20 brands (all released within the last five years) containing both membrane/mechanical structures and USB/Bluetooth protocols and found that 48 out of them were vulnerable.
Insights of GhostType on the 50 Keyboards
We present GhostType’s overall performance by displaying the attack results of injection frequency at which each keyboard is vulnerable to GhostType attacks. We discovered three insights during the evaluation:
Membrane vs Mechanical: Membrane keyboards are vulnerable to both keystroke injection and DoS attacks, while mechanical keyboards are only vulnerable to keystroke injection attacks because of their NKRO capacity.
USB vs Bluetooth: Bluetooth keyboards are more vulnerable to GhostType attack than USB keyboards. This is because Bluetooth keyboards are often powered by 3.3V batteries so the required injection amplitude to satisfy Eq. (8) is relatively lower than 5~V-powered USB keyboards.
Vendor vs Security: The uncovered vulnerabilities of sensing mechanisms are not specific to individual keyboard vendors. Keyboards are vulnerable to GhostType in a wide range of EMI frequencies. Higher-end keyboards are typically superior in performance but not security. The adversary can inject keystrokes at a higher speed on high-end keyboards than on the more common office keyboards from the same vendor.
Physical Layout of the 50 Keyboards/Keypads
IV Countermeasures
To mitigate the vulnerabilities of keystroke sensing mechanisms, we provide insights into potential hardware and software mitigations gleaned from our investigations:
Shield Keyboards with Metal Materials: According to the findings in our paper, keyboards with a steel plate underneath the matrix circuit are less susceptible to EMI injections when the injection antenna is placed underneath the keyboard. It is worth noting that adversaries can still use the antenna above the keyboard to attack keyboards shielded with merely a metal plate underneath. We recommend that keyboard manufacturers employ metal enclosures as a straightforward countermeasure to protect both sides of the keyboard from EMI injections.
Enhance the Keystroke Sensing Mechanism: We believe keyboard manufacturers could improve the keystroke sensing mechanism in four ways.
(1) Randomize the scanning signal waveform. The keyboard sensing mechanism can be spoofed primarily because the keyboard processor does not verify whether the received keystroke scanning signals came from the keyboard's TX. To ensure trustworthy keystroke sensing, we propose that the keyboard randomize the scanning signal waveform to be employed as the ``verification signal''. When a pressed key completes a circuit, the keyboard controller checks if that, and only that signal, is received on the appropriate RX pin.
(2) Redesign the scanning signal's parameters. Our simulations in the paper revealed that decreasing the value of time difference between the two adjacent TXs considerably reduced the success rate of phantom keystroke injections. As a result, keyboard engineers can design appropriate scanning parameters to make the keyboards less vulnerable to GhostType.
(3) Randomize the scanning sequence to make it difficult for adversaries to predict when and which TX is scanned to inject specific keystrokes into the targeted RX.
(4) Detect and remove hidden keys using the proposed test method in our paper to avoid unexpected consequences.