Like many others in the world, I've always been a skeptic of the need to disable cell phone antenna's on takeoff and landing. What kind of interference could possibly be caused to an airplane? We've all dealt with the minor nuisance of clicks and beeps when someone on a land line keeps their cell phone too close to the base, but serious interference to a plane? I always figured it was a better safe then sorry measure... Until a couple of weeks ago when I was doing some work in Photoshop on my old Dell laptop and randomly made an interesting discovery.

I had placed my iPhone on the laptop just below the keyboard and was using an external keyboard and mouse (from my new laptop over Synergy, which is fantastic software by the way). At some point my layer background color starting changing, the rulers appeared and disappeared, various nav items opened or closed, etc... The laptop is old and buggy so I thought nothing of it at first, then I wondered if it was my iPhone. I theorized that perhaps the iPhone was causing interference that was resulting in key strokes that mapped to hotkeys for manipulating my canvas and UI. A few quick tests confirmed the accuracy of this assumption, my interest peaked and I immediately called over the rest of the team to revel in this accidental discovery.

Before I continue, check out this demo video we made showing my Phone sitting on the Dell Inspiron 9300 with UltraEdit running in the foreground (with an increased font size).


A few seconds into the video, Cody starts to make a call to my cell from his. At about the 10 second marker you'll see a flurry of characters spew across the screen. You may notice what appears to be a pencil tracing around the iPhone. We quickly realized that moving the phone too far off a specific spot failed to produce any key strokes. At this point we had three primary questions in mind:

1. What is under that part of the keyboard that is being interfered with?
2. Can we reliably generate arbitrary key strokes of our choosing?
3. Solving [1] and [2], could we build a focused radio transmitter "gun" of sorts to transmit arbitrary keys to a target laptop from a distance? (huge grin on face)
   

To answer the first question Cody took the laptop apart. I wish we would have taken a picture of the underbelly of the 15lb beast that was my old laptop, but we forgot, so visualize if you will: Both the keyboard controller chip and the keyboard ribbon were in close vicinity of the radio interference. Alternating our experiment between shielding the ribbon and the controller with aluminum foil leads us to believe that the radio signals from the iPhone are triggering key strokes through the actual ribbon.

To answer the second question I coded up a little test harness. I created a small PHP script to generate random data of a suitable length to create interference. I loaded the URL on the iPhone and refreshed the page until a single character was sent. I marked the random data that resulted in that character and continued to map a few more characters. Here is the DB schema and simple script used to accomplish these tasks:

    <?

    /*

      MySQL Table structure:

      CREATE TABLE 'tempest' (

        'id' int(11) NOT NULL auto_increment,

        'char' char(1) NOT NULL,

        'data' longtext NOT NULL,

        PRIMARY KEY  ('id')

      ) ENGINE=MyISAM;

    */

    mysql_connect("", "", "");

    mysql_select_db("");

    $id = 0;

    if ($id)

    {

      $sql = "SELECT * FROM tempest WHERE id = $id";

      $row = mysql_fetch_object(mysql_query($sql));

      print base64_decode($row->data);

    }

    else

    {

      $x = "";

      for ($i = 0; $i < 500; $i++)

        $x .= chr(rand(0, 255));

      print $x;

      $sql = "INSERT INTO tempest SET data = '";

      mysql_query($sql . base64_encode($x)  . "'");

      print mysql_error();

    }

    ?>

The table name TEMPEST by the way is the US government acronym for Transient ElectroMagnetic Pulse Emanation STandard. Running through this experiment provided no usable results. We postulated that the reason behind this is that the actual radio signals transmitting between the phone and the tower are not the same even for the same data. Despite the fact that we had already wasted half a day on this utterly useless (in terms of business) project, we were excited about the possibility of having a keystroke sending radio gun so we pressed on.

Two hours of research time later we collectively decided that the next step would be to purchase a Universal Software Radio Peripheral (USRP) radio transceiver which we could write custom code for via the GNU Radio project. We speced out the cost of our ideal platform to be somewhere in the $2,000 to $3,000 range. Time for a budget approval, time to talk to the boss:


Dave Endler
Though amused, Dave was less then eager to drop precious budget dollars on a silly research project that would result in little to no re-usable security research. Our hopes and dreams shattered, we scrapped the project for a few weeks and have now resurrected it for public consumption. I recall being a CS student at Tulane university with lots of time and motivation and few solid project ideas. Today I have zillions of ideas and not enough hours in the day to accomplish them. Perhaps someone out there looking for a project idea can push this along... Write us if you do, we'd love to hear about it.