GhostType: The Limits of Using Contactless Electromagnetic Interference to Inject Phantom Keys into Analog Circuits of Keyboards

I Abstract

Keyboards are the primary peripheral input devices for various critical computer application scenarios. This paper performs a security analysis of the keyboard sensing mechanisms and uncovers a new class of vulnerabilities that can be exploited to induce phantom keys---fake keystrokes injected into keyboards' analog circuits in a contactless way using electromagnetic interference (EMI). Besides normal keystrokes, such phantom keys also include keystrokes that cannot be achieved by human operators, such as rapidly injecting over 10,000 keys per minute and injecting hidden keys that do not exist on the physical keyboard. The underlying principles of phantom key injection consist in inducing false voltages on keyboard sensing GPIO pins through EMI coupled onto matrix circuits. We investigate the voltage and timing requirements of injection signals both theoretically and empirically to establish the theory of phantom key injection. To validate the threat of keyboard sensing vulnerabilities, we design GhostType that can cause denial-of-service of the keyboard and inject random keystrokes as well as certain targeted keystrokes of the adversary's choice. We have validated GhostType on 48 of 50 off-the-shelf keyboards/keypads from 20 brands including both membrane/mechanical structures and USB/Bluetooth protocols. Some example consequences of GhostType include completely blocking keyboard operations, crashing and turning off downstream computers, and deleting files on computers. Finally, we glean lessons from our investigations and propose countermeasures including EMI shielding, phantom key detection, and keystroke scanning signal improvement.

II Demos of GhostType

GhostType achieves two types of attack outcomes:

We presented three parts of demos with different experiment setups:

Part One: Place the injection antenna directly under the keyboard

We placed the injection antenna directly under the keyboard.

(1) Block the Keyboard (Acer KM41-2K )

(2) Block the Keyboard (Logitech MK275)

(3) Inject Keystrokes at a High APM (Keycool K-9)

(4) Inject Keystrokes at a High APM (Thunderobot KG3089R)

(5) Constantly Force the Computer to Sleep (Acer KM41-2K )

(6) Constantly Force the Computer to Sleep (Logitech MK275)

(7) Close the Unsaved File (Keycool K-9)

(8) Delete the Files (Lenovo MK23)

(9) Turn the Computer Down (Lenovo MK23)

(10) Inject Hidden Keys to Turn the Computer Down (A4TECH FK13P)

Part Two: Conduct keystroke injection across a table

We placed the same injection antenna under a 25mm-thick table and conducted the injection across the table with a Mini-Circuits ZHL-100W-GAN+ power amplifier.

(11) Block the Keyboard (Acer KM41-2K )

(12) Block the Keyboard (Logitech MK275)

(13) Keystroke Injection (Keycool K-9)

(14) Keystroke Injection (Logitech MK275)

(15) Constantly Force the Computer to Sleep (Lenovo MK23 )

(16) Constantly Force the Computer to Sleep (Logitech MK275 )

(17) Turn the Computer Down (Lenovo MK23)

(18) Inject Hidden Keys to Turn the Computer Down (A4TECH FK13P)

(19) Inject Hidden Alphabetical Keys on a Keypad (A4TECH FK13P) 

(20) Inject Hidden Keys to Open the File Browser (Lenovo MK23) 

Part Three: Conduct keystroke injection at a distance

We employed an Ettus LP0410 PCB directional antenna with a Mini-Circuits ZHL50W-63+ power amplifier and conducted keystroke injection at a distance of up to 1 m.

(21) Inject Keystrokes at a Distance

(22) Force the Computer to Sleep at a Distance

III Evaluation on 50 Off-the-Shelf Keyboards

We evaluated GhostType on 50 off-the-shelf keyboards and keypads from 20 brands (all released within the last five years) containing both membrane/mechanical structures and USB/Bluetooth protocols and found that 48 out of them were vulnerable.

Insights of GhostType on the 50 Keyboards

We present GhostType’s overall performance by displaying the attack results of injection frequency at which each keyboard is vulnerable to GhostType attacks. We discovered three insights during the evaluation: 

Physical Layout of the 50 Keyboards/Keypads

IV Countermeasures

To mitigate the vulnerabilities of keystroke sensing mechanisms, we provide insights into potential hardware and software mitigations gleaned from our investigations: