It tells the story of how Soviet spies used keyloggers in IBM Selectric typewriters to spy on American diplomats during the Cold War. These high-tech devices remained undetected for 8 years.
A National Security Agency memo that recently resurfaced years after it was first published provides a detailed analysis of what is likely the world’s first keylogger, a 1970s bug that Soviet spies planted in IBM Selectric typewriters American diplomats to monitor secret letters and memos. .
Electromechanical implants were nothing short of an engineering marvel. An extremely miniaturized series of circuits was inserted into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen with X-ray equipment, recorded the exact location of the small ball. Selectric typewriters were used to print characters on paper. Except for spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every keystroke and transmit it to Soviet spies in real time.
The Soviet implants were discovered through a thorough analysis of more than 10 tons of equipment seized from US embassies and consulates and sent back to the US. The implants were eventually found inside 16 typewriters used from 1976 to 1984 at the US Embassy in Moscow and the US Consulate in Leningrad. The errors went undetected for eight years and only came to light after a tip from a US ally whose own embassy was the target of a similar wiretapping operation.
“Despite the ambiguity of what characters were typed, the typewriter attack on the US was a lucrative source of information for the Soviets,” says an NSA document that was declassified several years ago. “It was difficult to calculate the damage to the US from this exploitation because it went on for so long.” The NSA document was published in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before, and it sparked a lively conversation Monday on encryption and security expert Bruce Schneier’s blog.
When the implant was first reported, one eavesdropping expert quoted by Discover magazine suggested that it worked by measuring minute differences in the time it took to type each character. This theory was based on the observation that the rotation time of the Selectric ball was different for everyone. A low-tech listening device installed in the room would then transmit the sound of the Selectric typing to a Soviet computer, which would play back a series of keystrokes.
In fact, the implant was much more sophisticated and worked by measuring the movements of the “lever,” the term analysts gave to the mechanical arms that controlled the pitch and spin of the ball. According to the NSA document:
In fact, the movement of the pawns determined which symbol was entered, as each symbol had a unique binary movement corresponding to the pawns. The magnetic energy captured by the sensors in the strip was converted into a digital electrical signal. The signals were compressed into a four-bit frequency selection word. The error could store up to eight four-bit characters. When the buffer was full, the in-band transmitter sent information to Soviet sensors.
There was some ambiguity in determining which characters were entered. NSA analysts, using the laws of probability, were able to figure out how the Soviets likely recovered the text. Other factors that made text recovery difficult included the following: the implant could not detect characters that were typed without the ball moving. If the typist pressed space, Tab shift or Backspace, these characters were invisible to the implant. Since the ball didn’t move or tilt when the typist pressed the hyphen because it was positioned at the initial position of the ball, the bug couldn’t read that character either.
The implants also differed in the number of upgrades they received. Not being a static device that was created once and then left to do its job, bugs were constantly being refined. The document says:
The Soviet Union constantly modernized and improved its implants. There were five varieties or generations of beetles. Three types of devices operated from a direct current source and contained eight, nine or ten batteries. The other two types operated from an alternating current source and had beacons to indicate whether the typewriter was on or off. Some units also had a modified switch with a transformer, while others had a special coaxial screw with a spring and tip. A modified switch sent power to the implant.
Since battery-powered machines had their own internal power supply, a modified switch was not necessary. A special coaxial screw with a spring and a tip connected the implant to the typewriter connection, and this connection was used as an antenna to transmit information during printing. Later battery-powered implants had a control point under the terminal screw. By removing the screw and inserting the probe, a person could easily read the battery voltage to see if the batteries were still active.
The ingenuity of the Soviets was extraordinary because they did not simply switch from batteries as a power source to alternating current. There were early and later versions of the bug that used both power supplies. The NSA discovered that the first three implants were battery operated. The first of these was sent to Moscow in October 1976, and the other two were sent in April 1977. The first bug that used alternating current as a power source was sent to Moscow in November 1977. The remaining nine machines that were found in Moscow used alternating current as a power source and were more advanced than the first AC-powered beetles. Five improved models of typewriters with AC tapping were delivered to Moscow in February 1982. The rest were delivered in January 1984. Later typewriters with battery-powered eavesdroppers found at the Leningrad consulate were shipped in April 1977 and March 1982.
All the implants were quite complex. Each implant had a magnetometer that converted the mechanical energy of keystrokes into local magnetic disturbances. A package of electronics in the implant responded to these disturbances, classified the baseline data, and transmitted the results to a nearby listening post. Data was transmitted using radio frequencies. The implant was turned on by remote control. Another advantage of these bugs was easy installation. Engineers estimated that a skilled technician could install the implant in a typewriter in half an hour. Integrated circuits were very complex for that time period. The circuits contained a single bit of core memory, an achievement that NSA engineers had never seen before.
The devices could be turned off to avoid detection when the Soviet authorities knew that inspection teams were in close proximity. Newer devices in use in the US may have had the ability to detect implants, but even then a degree of luck would be required, as the infected typewriter would have to be turned on, the bug and the analyzer would have to be tuned to the correct frequency. To reduce this risk, Soviet spies deliberately designed the devices to use the same frequency range as local television stations.
The story of Project Sagittarius, as the once secret operation to detect and respond to implants was called, highlights how radically hacking has changed over the past 40 years.
“It’s a lot easier now because everything is connected,” Schneier, who is the chief technology officer of Resilient Systems Inc., told Ars. “Everything is computerized and [it] makes it a lot easier. When you just need to hack into someone’s computer, even if it is completely disconnected from the internet, it is a much easier job and therefore anyone can do it, including criminals. .”