Your Keyboard Is Leaking Data Through Thin Air

TLDR: Modern input devices are not just peripherals; they are potential signal generators that leak sensitive data through electromagnetic and acoustic side channels. Research presented at DEF CON 2025 demonstrates that keystrokes can be reconstructed from CRT monitor interference, keyboard LED flickering, and even the mechanical sound of typing. Pentesters should treat physical proximity as a viable attack vector for data exfiltration, while defenders must prioritize shielding and signal isolation for high-security environments.

Hardware security often gets sidelined in favor of web application vulnerabilities, but the physical layer remains a goldmine for anyone with a software-defined radio and a bit of patience. The research presented by Federico Lucifredi at DEF CON 2025 serves as a stark reminder that our input devices are constantly broadcasting their state to the world. Whether it is the electromagnetic hum of a legacy monitor or the subtle acoustic signature of a mechanical switch, your keyboard is likely telling a story to anyone listening.

The Physics of Information Leakage

Side-channel attacks rely on the principle that electrical and mechanical processes produce observable physical phenomena. In the case of keyboards, the act of typing creates distinct patterns. When you press a key, the internal circuitry completes a connection, causing a momentary spike in current. This spike generates an electromagnetic pulse. If that keyboard is connected via a non-shielded cable or uses a wireless protocol without proper encryption, that pulse becomes a broadcast.

The research highlights that these emanations are not just theoretical noise. By using GNU Radio, an attacker can capture these signals and perform signal processing to isolate the specific frequency associated with a keypress. The demo showed that even with relatively inexpensive hardware, one can distinguish between different keys based on the unique timing and frequency characteristics of the signal. This is essentially a modern, digital version of TEMPEST, the long-standing standard for protecting against compromising emanations.

From LEDs to Acoustic Signatures

One of the most fascinating aspects of this research is the exploitation of visual and acoustic side channels. Keyboards often have status LEDs for Caps Lock, Num Lock, and Scroll Lock. These LEDs are driven by the host computer, and their power consumption fluctuates based on the data being processed. By monitoring the light intensity of these LEDs, an attacker can infer keystroke data. This is particularly effective because the LED state is directly tied to the keyboard's internal buffer.

Acoustic attacks take this a step further. Mechanical keyboards are loud by design, but that noise is not uniform. Each key has a slightly different acoustic profile due to its position on the board and the way the sound resonates through the chassis. By placing a high-sensitivity microphone within a reasonable distance—often up to 15 meters in a quiet environment—an attacker can record the typing session. Training a neural network on these recordings allows for the reconstruction of the text being typed with high accuracy. The research demonstrated that even without language models, the raw acoustic data provides enough entropy to compromise passwords and sensitive commands.

Real-World Pentesting Implications

For a pentester, these techniques shift the focus from the network to the physical environment. If you are conducting a red team engagement, the traditional approach is to look for open ports or unpatched services. However, if the target is a high-value workstation in a secure facility, physical proximity becomes your primary exploit.

Imagine a scenario where you have access to an adjacent office or a hallway. A directional microphone pointed at the target's desk or an antenna hidden in a nearby vent can capture keystrokes without ever touching the target's machine. This is the ultimate Adversary-in-the-Middle scenario. You are not intercepting traffic on the wire; you are intercepting the physical manifestation of the user's intent.

When testing, consider the following:

1. Signal Analysis: Use a wideband SDR to scan for emanations from wireless peripherals.
2. Acoustic Profiling: Record typing sessions in the target environment to determine if key-specific sounds can be isolated.
3. Peripheral Audit: Identify if the target uses unencrypted wireless keyboards or mice, which are often vulnerable to simple replay attacks.

Defensive Strategies

Defending against side-channel attacks is notoriously difficult because it requires changing the physical environment. The most effective mitigation is to eliminate the source of the leakage. For high-security environments, this means using shielded cables, FIPS-compliant hardware, and sound-dampening enclosures for workstations.

Software-based solutions are limited, but they can help. For example, implementing random delays in input processing or using software-based keyboard encryption can introduce enough noise to make signal reconstruction computationally expensive. However, these are stopgaps. The only true defense is to assume that any physical device is a potential transmitter and to design your security architecture to account for that reality.

Stop assuming that your hardware is a black box. The next time you are on an engagement, look at the peripherals on the desk. They might be the most interesting part of the target's infrastructure. If you can hear the keys, you can read the data. Keep digging into the physical layer, because that is where the most persistent threats are hiding.