Recent research at the University of Scunthorpe in the UK has identified an issue which could compromise the security on which we depend for online shopping and banking. The department for Computer Research and Advanced Protocols has demonstrated IDentity Information Overlay Technology. The technique analyzes your activity rather than data packets to reveal passwords, visited sites and other sensitive personal information.
The project leader, Professor Juppe, explains:
Modern devices have a persistent Internet connection. Even if you’re not actively using a device, it’s fetching messages, checking for software updates or handling other processes which result in a steady stream of data transmission. Binary is converted to electronic signals which flow through the network.
Binary data is usually represented as clean voltage spikes. In reality, the signal is affected by electromagnetic interference which causes imperceptibly small fluctuations named “micropulses”. While they are rarely enough to cause data loss, micropulses pass through wired and wireless communication layers. They can even cause minuscule delays and bursts when translated through a fiber-optic bridge.
The biggest cause of micropulses is the user; the human body acts as a transmitter when using an input device such as a keyboard. In essence, your connected data flow becomes a carrier wave for micropulse information which can be analyzed. It does not matter whether your connection uses HTTP or HTTPS — the actual data can be ignored but your activities are revealed.
The technology is being refined and the rate of successful micropulse analysis increases exponentially each year. The technique works better if you are physically close to the target — such as on the same wifi connection. However, the research team has successfully attempted analysis over hundreds of miles and, as micropulse detection improves, geographical location is unlikely to remain a limiting factor.
Micropulse analysis technology is experimental but the threat is real. Fortunately, there are a number of low-tech solutions which significantly reduce the risk of identity infringement.
1. Use an on-screen keyboard
Touch screen and on-screen keyboards are not completely immune, but micropulse analysis is made far more difficult. Professor Juppe suggests switching between on-screen and real keyboards when entering sensitive information such as passwords.
2. Shield your input devices
Wrap aluminum foil around devices such as keyboards — the shiny side should face inward to reflect the pulses. If you’re using a laptop, use a small piece of foil around the Ethernet cable or, on wifi, regularly move the device to modify micropulses and make them more difficult to analyze.
3. Reduce electromagnetic interference
Device shielding may not be enough since your body conducts micropulse information. The effect can be reduced by wearing gloves and rubber boots while working.
Have any of your accounts been compromised even though you were careful to safeguard passwords? Have you been approached by someone who knew details of your online activities or services? Could micropulses be to blame?
Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.