DualStrike: Accurate, Real-time Eavesdropping and Injection of Keystrokes on Commodity Keyboards
DualStrike: Accurate, Real-time Eavesdropping and Injection of Keystrokes on Commodity Keyboards
Contents
Contents
Embedded Files
Abstract
Abstract
We discover that enabling both eavesdropping and non-invasive, per-key injection is viable on keyboards, in particular, the fast-emerging commodity Hall-effect keyboards. This paper introduces DualStrike, a new attack system that allows attackers to remotely listen to victim input and control any key on a Hall-effect keyboard. This capability opens doors to severe attacks (e.g., file deletion, private key theft, and tampering) based on the victim’s input and context, all without requiring hardware or software modifications to the victim’s computer. We present several key innovations in DualStrike, including a novel, compact electromagnet-based hardware design for high-frequency magnetic spoofing, a synchronization-free attack scheme, and a magnetometer-based listening mechanism using commercial off-the-shelf components. Our real-world experiments demonstrate that DualStrike can reliably compromise arbitrary keys across six recent Hall-effect keyboard models. Specifically, DualStrike achieves over 98.9% keystroke injection accuracy across all tested models. In an end-to-end test, the eavesdropping module achieves a high listening accuracy (i.e., above 99%). To improve the robustness of DualStrike, we implement a calibration algorithm to account for keyboard displacement, allowing it to maintain 98.5% injection accuracy even with offsets up to 4 cm. We also identified DualStrike’s immunity to existing magnetic shielding mechanisms and propose a novel shielding approach for Hall-effect keyboards.
DualStrike can be concealed underneath a desk, or embedded within a carved groove under the desk during deployment.
DualStrike can be concealed underneath a desk, or embedded within a carved groove under the desk during deployment.
what DualStrike needs: Only DualStrike attack device
what DualStrike DOESN'T NEED: Signal generator, Power amplifier...
What can DualStrike do?
What can DualStrike do?
—— The world's first keystroke eavesdropping and injection attack device!
—— The world's first keystroke eavesdropping and injection attack device!
DualStrike consists of three main components: keystroke eavesdropping, keystroke injection, and calibration for injection misalignment.
1. Keystroke eavesdropping
1. Keystroke eavesdropping
DualStrike can capture magnetic field changes on Hall-effect keyboard using COTS magnetometers (MLX90393), enabling key classification. A 4x2 magnetometer array can achieve over 99% keystroke inference accuracy.
2.Keystroke injection
2.Keystroke injection
We use structure-optimized electromagnets. Our design includes a Universal Electromagnet Layout, and through High-frequency Magnetic Spoofing and novel Attack Parameters, we can achieve over 98.9% keystroke injection accuracy across all tested models.
3.Calibration for injection misalignment
3.Calibration for injection misalignment
Existing EMI keystroke injection methods do not account for potential keyboard displacement during an actual attack. We use the eavesdrop results to calculate possible displacements of the keyboard (dx/dy/θ) before the attack. During the attack, we adjust the attack device's mapping accordingly. DualStrike can maintain an accuracy of 98.5% even with a displacement of up to 4 cm.
See DualStrike in Action!
See DualStrike in Action!
Tested Commodity Keyboards
These keyboards cover different popular sizes, e.g., 100%, 75%, and 60%.
Demo Ⅰ:Disable User's input
Demo Ⅰ:Disable User's input
DualStrike can disable user input by injecting random keystrokes at a high APM (approximately 5000 keystrokes per minute).
User cannot distinguish their intended inputs from the randomly injected sequences.
(a) Disable User's input(SteelSeries Apex Pro) (b) Disable User's input(Corsair K70 MAX)
Demo Ⅱ:Targeted Keystroke injection with 100% accuracy
Demo Ⅱ:Targeted Keystroke injection with 100% accuracy
DualStrike can perform targeted keystroke injection with 100% accuracy.
The attacker can send any specified sequence for injection attacks.
Specifically, we demonstrate this by using a classic game: Stardew Valley as an example, showing how the attacker can control the game character to move independently of the user's input.
(c) Targeted Keystroke Injection(Wooting 60 HE) (d) Strange Happenings in Stardew Valley
Demo Ⅲ:Login Suspension
Demo Ⅲ:Login Suspension
DualStrike can cause user login suspension through keystroke injection.
Specifically, by striking random keys and the "Enter" key twice, DualStrike can simulate rapid, incorrect login attempts.
Once the error count exceeds a certain limit, the user will be locked out by the system and unable to log in.
(e) Login Suspension(Keydous NJ98-CP) (f) Login Suspension(Wooting 60 HE)
Demo Ⅳ:Shuts Down the System In a Flash
Demo Ⅳ:Shuts Down the System In a Flash
DualStrike can inject a system shutdown command in a flash, leaving users no time to react.
Specifically, for Windows systems, the shutdown can be executed by pressing Ctrl+X followed by pressing 'U' twice.
(g) System Forced Shut Down(Wooting 60 HE) (h) System Forced Shut Down(Corsair K70 MAX)
Q & A
Q & A
Q1: Which type of keyboards may be undermined?
A: DualStrike compromises Hall-effect keys. You may confirm whether your keyboard uses Hall switches by looking up the product description.
Q2: How to defense against DualStrike?
A: Compared to existing shielding methods that use shielding plates, we use per-sensor shielding. This method effectively blocks magnetic spoofing from below while simultaneously reducing the external sensors' ability to perceive the keyboard's internal magnetic fields, thus defending against both eavesdropping and injection.
Page updated
Google Sites
Report abuse