Researchers find new ways to steal data

Researchers have developed two new techniques for stealing data from a computer that use some unlikely hacking tools: cameras and telescopes.

In two separate pieces of research, teams at the University of California, Santa Barbara, and at Saarland University in Saarbrucken, Germany, describe attacks that seem ripped from the pages of spy novels. In Saarbrucken, the researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. The UC team has worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written.

Computer security research tends to focus on the software and hardware inside the PC, but this kind of "side channel" research, which dates back at least 45 years, looks at the physical environment. Side-channel work in the U.S. was kicked off in 1962 when the U.S. National Security Agency discovered strange surveillance equipment in the concrete ceiling of a U.S. Department of State communications room in Japan and began studying how radiation emitted by communication components could be intercepted.

Much of this work has been top secret, such as the NSA's Tempest program. But side-channel hacking has been in the public eye too.

In fact, if you've seen the movie "Sneakers," then the University of California's work will have a familiar ring. That's because a minor plot point in this 1992 Robert Redford film about a group of security geeks was the inspiration for their work.

In the movie, Redford's character, Marty Bishop, tries to steal a password by watching video of his victim, mathematician Gunter Janek, as he enters his password into a computer. "Oh, this is good," Redford says, "He's going to type in his password and we're going to get a clear shot."

Redford's character never does get his password, but the UC researchers' Clear Shot tool may give others a fighting chance, according to Marco Cova, a graduate student at the school.

Clear Shot can analyze video of hand movements on a computer keyboard and transcribe them into text. It's far from perfect -- Cova says the software is accurate about 40 percent of the time -- but it's good enough for someone to get the gist of what was being typed.

The software also suggests alternative words that may have been typed, and more often than not, the real word is in the top five suggestions provided by Clear Shot, Cova said.

Clear Shot works with an everyday Webcam, but the Saarland University team has taken thing up a notch, training telescopes on a variety of targets that just might happen to catch a computer monitor's reflection: teapots, glasses, bottles, spoons, and even the human eye.

The researchers came up with this idea during a lunchtime walk about nine months ago, said Michael Backes, a professor at Saarland's computer science department. Noticing that there were a lot of computers to be seen in campus windows, the researchers got to thinking. "It started as a fun project," he said. "We thought it would be kind of cute if we could look at what these people are working on."