Information leakage through electromagnetic radiation of ps / 2 keyboard

Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 51 
Information Leakage Through Electromagnetic 
Radiation of PS/2 Keyboard 
Duc Chinh Bui, The Minh Ngo, Ngoc Vinh Hao Nguyen, Manh Tuan Pham 
Abstract— Computer keyboards are often 
used to enter data for a computer system, data 
could be normal information or confidential 
information such as password, key. Keyboards 
use electronic components so they will generate 
electromagnetic radiation that can reveal 
information. This article presents the acquisition 
of electromagnetic emanating from the PS/2 
keyboards through different paths (in space, 
through power line or via LAN cable). After 
acquisition we develop a program on MATLAB 
to recover the keystroke signal from data which is 
obtained in the near field of PS/2 keyboard. The 
result of this side channel attack is recovered an 
average of more than 70% of the keystrokes in 
near field of PS/2 keyboards. Our best attack can 
recover up to more than 90% of the keystrokes. 
From this result, we conclude that PS/2 
keyboards generate electromagnetic radiations 
which can cause the loss of information and 
they are not safe to use when entering 
confidential information. 
Tóm tắt— Bàn phím máy tính thường được sử 
dụng để nhập dữ liệu đầu vào cho một hệ thống 
máy tính, các dữ liệu có thể là văn bản thông 
thường hoặc thông tin cần được bảo mật như mật 
khẩu hay khóa. Bàn phím sử dụng các linh kiện 
điện tử, vì thế chúng sẽ gây ra bức xạ điện từ dẫn 
đến lộ lọt các thông tin khi gõ phím. Bài báo này 
trình bày về việc thu các tín hiệu bức xạ điện từ 
phát ra từ bàn phím PS/2 khi gõ phím qua các con 
đường khác nhau (nhiễu bức xạ trong không gian, 
nhiễu dẫn trên đường nguồn, qua mạng LAN). Từ 
đó, nghiên cứu xây dựng một module chương trình 
trên MATLAB để khôi phục lại tín hiệu gõ phím từ 
các dữ liệu thu được trong trường gần của bàn 
phím. Kết quả của cách tấn công trên kênh kề này 
là khôi phục trung bình được hơn 70% ký tự được 
gõ trong trường gần của bàn phím PS/2. Trường 
hợp tốt nhất kết quả có thể lên đến hơn 90% ký tự 
được gõ. Từ kết quả nghiên cứu trên, nhóm nghiên 
cứu rút ra kết luận, các loại bàn phím1
1 This manuscript is received June 14, 2019. It is 
commented on June 17, 2019 and is accepted on June 24, 
2019 by the first reviewer. It is commented on June 16, 2019 
and is accepted on June 25, 2019 by the second reviewer. 
 PS/2 đều phát ra các bức xạ điện từ gây mất mát 
thông tin và không an toàn để sử dụng khi nhập các 
thông tin cần được bảo mật. 
Keywords— Electromagnetic radiation; PS/2 
keyboard; acquisition of electromagnetic; recovery 
keystroke. 
Từ khóa— Bức xạ điện từ; bàn phím PS/2; thu 
bức xạ điện từ; khôi phục tín hiệu gõ phím. 
 I. INTRODUCTION 
Today, with the development of science and 
technology, information leakage through 
electromagnetic radiations of electronic devices 
such as monitors, keyboards, printers... has been 
published through research works in the world. 
Those researches indicate that it is possible to 
recover the original information from 
electromagnetic radiations with appropriate 
hardware and software. One component of the 
computer system that has the highest risk of 
information leakage is the computer keyboard. 
Keyboard is an input device of a computer 
system, used to enter normal information, 
confidential information or sensitive 
information. When the keyboard has hardware 
weaknesses that can be exploited, it will cause 
loss of information for computer systems 
regardless of the subsequent security and 
authentication. 
The exploitation of electromagnetic 
radiation appeared for decades. Research on 
compromising electromagnetic emanations have 
been carried out such as radiation detection of 
Bell 131-B2 devices [8], recovering displayed 
images on CRT [4], recovery of displayed 
images on LCD [4], attack on secret keys [9], 
captures video radiations [12], attack 
electromagnetic radiation on Elliptic curves 
cryptographic on FPGA or exploits 
compromising electromagnetic radiation of the 
keyboard [8]. 
With computer keyboards, research in the 
world has presented different exploitations of 
leaked information [5] such as through optical 
radiation [7], video string analysis or using the 
Journal of Science and Technology on Information security 
52 No 2.CS (10) 2019 
keyboard's LED as an auxiliary channel to 
collect data [3], exploit acoustic radiation to 
restore keystrokes [2, 11] and especially exploit 
electromagnetic radiations [4] or conducted 
radiation noise on the power line [1]. 
This article presents the acquisition of 
electromagnetic radiations of PS/2 keyboard in 
different cases of side channel attacks: the 
acquisition of radiated signals in space (near field 
and far field) and the acquisition of conducted 
disturbances through the power line and over the 
LAN cable. The obtained data will then be 
processed by a program on MATLAB to restore 
the keystroke. This research builds a program 
based on the Falling Edge Transition technique of 
the signal to detect the position of the key and 
based on the characteristics of the keystroke to 
convert the radiated signal to scancode, then 
compare it with scancode library to recover the 
keystroke. The program works well with obtained 
data in case of capturing radiated signals in near 
field of the PS/2 keyboard. 
The structure of this article consists of 5 
parts. Section 1 is a general introduction. 
Section 2 describes an overview of the 
electromagnetic radiation of the keyboard. 
Section 3 describes acquisition method of 
PS/2 keyboards in different setups. Section 4 
describes development a program on 
MATLAB to restore keystrokes. Section 5 
presents results of the measurements of 
radiated signals in different setups and the 
results of restoring keystroke in near field.  ... n the 237. 
B. Keystroke signal recovery program for 
electromagnetic radiation of keyboard 
Based on the falling edge technique mentioned 
above and analysed characteristics of scancode 
such as the first bit is bit 0 (start), the last bit is bit 1 
(stop), bit 1 always has a larger amplitude than the 
bit 0... we built a program on MATLAB to recover 
the keystroke signal from obtained electromagnetic 
radiations of the PS/2 keyboard with the block 
diagram of the acquisition and recovery process is 
shown in Fig.6. 
Journal of Science and Technology on Information security 
56 No 2.CS (10) 2019 
Fig.6. Diagram of capture and recover keystrokes process 
The process of capturing and recovery 
keystroke includes following steps: 
 First, use the antenna system or probe 
with appropriate sensitivity and in 
combination with the spectrum analyzer to 
capture radiated signal of keyboard. 
 Then, collected data will be saved and 
transmitted to the computer for processing. 
 MATLAB program for recovery keystroke 
will read data file in fixed-length frame. Use 
threshold to eliminate noise and find data 
locations that contain pressed keys. 
 Locate the falling edge and arrange the 
detected keys into groups of keys (see 
Table 1). 
 Use the characteristics of the keyboard 
scancode (bit 1 or bit 0) to convert 
keystroke data to scancode. 
 Compare the transferred scancode with 
the keyboard's scancode library to 
determine the keystroke and print out the 
result. 
The algorithm flowchart of capturing and 
recovery keystrokes process is shown in Fig.7. 
Flowchart in Fig.7 includes the following 
steps: 
1. Initiate the connection between the 
computer and the receiver via LAN cable. 
2. Set up the necessary parameters of the 
measurement: 
 Center frequency. 
 Sample rate. 
 Time of acquisition. 
 Trigger. 
3. The program will wait until the receiver 
completes the settings and send a notification to 
computer. 
4. When the receiver is ready, the program 
will send a request to start measuring and wait 
for the receiver to respond. 
5. When the receiver has completed a 
measurement, a notification will be sent and 
computer will read the measurement data in the 
receiver memory. 
6. When data is available, the program will 
perform analysis and display the result on the 
screen. 
7. After completing the data analysis, the 
program can continue measuring (go back to 
step 4) or stop. 
Fig.7. Algorithm flowchart of capturing and restoring 
keystrokes process 
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 57 
Note that the time of acquisition or the 
number of samples collected per frame must be 
large enough to contain all pulses of a 
keystroke. In order to minimize the amount of 
redundant data collected, the collection method 
only focuses on data frames that contain 
keystroke by using trigger. In principle, the 
clock is always high when there is no data 
transmitted between the keyboard and the 
computer, so the first clock pulse is always 
changing the state from 1 to 0, which means 
appearing a falling edge. Based on the above 
rule, the program selects trigger so that 
receiver starts from the first clock pulse of 
keystroke pulse sequence. 
The algorithm flowchart of analyzing 
obtained data process in Fig.8. 
Flowchart in Fig.8 includes the following 
steps: 
Step 1. From receiver memory, the 
program checks to see if there is enough data 
for analysis. If not, exit program or else, 
analysis will be executed. 
Step 2. From the data block, read out N 
data samples. N is defined so that it can 
contain no more than 1 pulse of clock. 
Step 3. Find falling edge in those N data 
samples (radiated impulse detection). If not, 
go back to step 1 and read the next N data 
samples, if there is a falling edge then go to 
step 4. 
Step 4. When appearing a falling edge, the 
program will read the next N1 samples, N1 
will include the entire data of a keystroke. 
N1 is determined based on the keyboard’s 
clock frequency and the receiver sample rate. 
Step 5. Find the remaining falling edges 
positions in the N1 samples. 
Step 6. Based on the searching results for 
the position of falling edges, divide the 
keystroke into the key group according to 
Table 1 for falling edge traces. 
Step 7. Based on the characteristics of the 
keyboard scancode to recover scancode of 
the keystroke. 
Step 8. Compare the scancode results 
with the scancode library and display the 
results on the screen. Then go back to Step 1. 
Fig.8. Algorithm flowchart of analyzing radiatied signal 
process 
V. EXPERIMENTAL RESULTS 
The experiments capture radiated signal as 
described in Part III with 4 different cases. The 
results are shown in Fig.9 to Fig.12. 
Fig.9. Radiated signal of key A is captured in near field 
Journal of Science and Technology on Information security 
58 No 2.CS (10) 2019 
Fig.10. Radiated signal of key H is captured in far field 
Fig.11. Radiated signal of key A is captured through the 
power line 
Fig.12. Radiated signal of key A is captured over LAN 
cable 
The above test results show that the PS/2 
keyboard emits electromagnetic radiations and 
these radiated signals can be obtained in 
different cases such as in far field, near field, 
conducted disturbance through power line and 
over LAN cable. Test cases have been 
successful on different PS/2 keyboards with 
different radiation amplitude and the scancode 
pattern does not change. The radiated frequency 
range of PS/2 keyboards is from 20MHz to 
300MHz. In particular, the amplitude of 
radiation when receiving in near field is 20-
30dB higher than the background noise and can 
clearly distinguish the signal pulses (bit 1 and 
0), making the recovery process easier. For the 
remaining cases, the radiation amplitude is 10-
15dB higher than the background noise, in 
addition the background noise is irregular, so 
restoring the keystroke signal is more 
complicated in near field. Our program is 
currently experimenting with the results of 
obtained signal in near field. 
The obtained data in near field is processed 
in program presented in Part IV to perform 
recovery keystroke. The results are shown in 
Fig.13 with the keystroke sequence of "vien 
khoa hoc cong nghe mat ma". This example 
results in a true 26/30 keystroke ~ 86,67%. 
Fig.13. Results of running program 
Based on a number of tests, as shown in 
Table 2, the results show that the program can 
recover averaged more than 70% of keystrokes. 
In the best cases of background noise as well as 
amplitude of the radiated signal, the result can 
up to 90% of keystrokes. With the case of 
Vietnamese typing with Vietkey or Unikey, the 
signal transmitted from the keyboard to the 
computer remains the same. Therefore, we can 
still recover the original text. From the above 
test results, it can be confirmed that PS/2 
keyboards have a high risk of leaking 
information, that can cause the loss of important 
data and unsuitable for high security systems. 
TABLE 2. EXPERIMENTAL RESULTS OF RECOVERY 
KEYSTROKE 
Keystroke Recovered 
keystroke 
Tỷ lệ 
abcdefghijklmn amchefghijilmn 11/14 
~ 79% 
conghoaxahoi conghoaxahoi 12/12 
~ 100% 
vienkhcnmm vienkhcnmm 10/10 
~ 100% 
cong hoa xa hoi 
chu nghia viet nam 
cong hoa xa joi 
nhurnghiarvigt nam 
26/31 
~ 84% 
vien khoa hoc cong 
nghe mat ma 
vienrkboa joc 
nongrnehe mat ja 
23/30 
~ 76% 
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin 
 No 2.CS (10) 2019 59 
hello good morning hgllo gooh morning 16/18 
~ 89% 
bùi đức chính buif jhuwcs nhinbs 14/18 
~78% 
demo thu ban phim 
co day 
dgmo thu ban phim 
co day 
22/23 
~ 96% 
Future studies are being carried out by us 
regarding restoring other cases of PS/2 
keyboards, such as eliminating the increase of 
noise and amplifying the radiated signals. In 
addition, we are also studying methods of 
capturing radiated signals of other keyboards 
such as USB keyboard, wireless keyboard and 
Laptop keyboard. This requires improving the 
acquisition process by using preamplifiers as 
well as testing in environments with low 
background noise such as semi-anechoic 
chamber. The initial results of these studies are 
relatively positive, but the results are not 
comprehensive so we do not present in this 
article. 
VI. CONCLUSION 
The keyboard is an input component of a 
computer system, so if it is attacked, security of 
the system becomes insignificant. This article 
has proven the risk of information leakage 
through electromagnetic radiations of PS/2 
keyboard. The article also presented the 
successful acquisition of electromagnetic 
radiations from PS/2 keyboard with cases of 
electromagnetic radiation in near field, far field 
and conducted disturbance through the power 
line and over LAN cable. Result of the 
keystroke recovery program can achieve an 
average of 70% of the keystrokes and up to 
more than 90% of keystrokes in the best case. 
With PS/2 keyboard, it is difficult to improve 
the hardware to avoid attacks as when 
improving the errors of software or operating 
system with patches. Therefore, for a high 
security computer system, keyboards with lower 
electromagnetic radiation leakage should be 
used and tested before being use in practice as 
well as applying some techniques to reduce 
electromagnetic radiation, such as using filters, 
shielding or generate noise. 
ACKNOWLEDGMENT 
This work was supported by Institute of 
Cryptographic Science and Technology, 
Viet Nam. 
REFERENCES 
[1]. Andrea Barisan Daniele Bianco, “Side Channel 
Attacks Using Optical Sampling of Mechanical 
Energy and Power Line Leakage”, Copyright 
Inverse Path Ltd, 2009. 
[2]. Asonov, D., and Agrawal, R., “Keyboard Acoustic 
Emanations”, In IEEE Symposium on Security 
and Privacy, 2004. 
[3]. Blzarotti, D., Cova, M., and Vigna, G., “Clearshot: 
Eavesdropping on keyboard input from video”, In 
IEEE Symposium on Security and Privacy, 2008. 
[4]. Kuhn, M. G., “Compromising Emanations: 
Eavesdropping risks of Computer Displays”, 
Technical Report, 2003. 
[5]. John V. Monaco, “SoK: Keylogging Side 
Channels”, IEEE Symposium on Security and 
Privacy, 2018. 
[6]. Lizhuang, Fengzhou, J. D. Tygar, “Keyboard 
Acoustic Emanations Revisited”, In Proceedings 
of the 12th ACM Conference on Computer and 
Communications Security, November 2005. 
[7]. Loughry, J., and Umphress, D. A., “Information 
leakage from optical emanations”, ACM Trans. 
Inf. Syst. Secur, 2002. 
[8]. Martin Vuagnoux, Sylvain Pasini, “Compromising 
Electromagnetic Emanations of Wired and 
Wireless Keyboards”, Security and Cryptography 
Laboratory, 2007-2009. 
[9]. Smulders, P., “The Threat of Information Theft by 
Reception of Electromagnetic Radiation from RS-
232 Cables”, Computers and Security, 1990. 
[10]. Tuttlebee, W., “Software Defined Radio: Enabling 
Technologies”, John Wiley and Sons, England, 
2003. 
[11]. Tzipora Halevi, Nitesh Saxena, “Keyboard 
acoustic side channel attacks: exploring realistic 
and security-sensitive scenarios”, International 
Journal of Information Security, Springer, 2014. 
[12]. Van Eck, W., “Electronagmetic radiation from 
video Display Units: An eavesdropping risk?”, 
Comput. Secur, 198. 
Journal of Science and Technology on Information security 
60 No 2.CS (10) 2019 
ABOUT THE AUTHOR 
 M.Sc. Duc Chinh Bui 
Workplace: Institute of 
Cryptographic Science and 
Technology, Vietnam Government 
Information Security Commission. 
Email: ducchinh1108@gmail.com 
Education: Received the Degree of 
Engineer in Electronics and 
Telecommunication Engineering in 
2013 and the Degree of Master of Enginerring in 
Electronics Engineering in 2016 from the School of 
Electronics and Telecommunications, Hanoi University 
of Science and Technology, Vietnam. 
Research today: Field of electromagnetic compatibility, 
include solutions to ensure EMC for electronic devices 
and exploit information leakage through side channels. 
M.Sc. The Minh Ngo 
Workplace: Institute of Cryptographic 
Science and Technology, Vietnam 
Government Information Security 
Commission. 
Email: ntminh1963@yahoo.com 
Education: Received the Degree of 
Engineer from Faculty of Electrical Engineering and 
Informatics, Budapest University of Technology and 
Economics, Hungary, in 1987. Received the Degree of 
Master of Engineering from Academy of Cryptography 
Techniques, Vietnam, in 2005. 
Research today: Field of electromagnetic compatibility, 
include solutions to ensure EMC for electronic devices 
and research about EMC standards. 
 Ngoc Vinh Hao Nguyen 
 Workplace: Institute of 
Cryptographic Science and 
Technology, Vietnam Government 
Information Security Commission. 
Email: nnvh89@gmail.com 
Education: Received the Degree of 
Engineer and Master in Aerospace 
Radio-Electronic System from 
Karkov Aviation University, Ukraine, in 2013 and 
2015 respectively. 
Research today: Field of electromagnetic compatibility. 
Currently, he is working on cryptography analysis 
through side channels. 
M.Sc. Manh Tuan Pham 
Workplace: 129 Company Limited, 
Vietnam Government Information 
Security Commission. 
Email: tuanpm.129@gmail.com 
Education: Received the Degree of 
Engineer from Posts and 
Telecommunications Institute of 
Technology, Vietnam, in 2003. 
Received the Degree of Master from Military Technical 
Academy, Vietnam, in 2008. Received the Degree of 
Doctor of Physolophy from Posts and 
Telecommunications Institute of Technology, Vietnam, 
in 2017. 
Research today: design and implement cryptographic 
algorithms on hardware; overall study of security 
solutions for voice and video data on different media 
environments.