Slashdot Mirror

← Back to Stories (view on slashdot.org)

CRT Eavesdropping: Optical Tempest

Posted by michael on from the tinfoil-house dept.

PortalCell writes "LED status monitors may potentially leak data in a few applications, but worse: Markus Kuhn has now revealed (pdf) that it's possible to read your monitor indirectly just by observing how the blue flicker lights up the room! Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!" Hopefully people will also stop submitting the LED story now.

12 of 219 comments (clear)

  1. Knowing your enemy by sting3r · · Score: 3, Insightful
    I am no advocate of government eavesdropping. I am a card-carrying ACLU member and have sent funds to the EFF prior to the passage of just about every draconian piece of legislation since the DMCA.

    I see a lot of potential in this sort of technology, though. When the government wants to crack down on terrorism / kiddie porn / the "threat" of the day, they will usually issue tens to hundreds of search warrants and confiscate tons of computer equipment in the name of "finding the bad guys." They will no longer have an excuse to do that, since they will now be able to eliminate potential suspects just by looking at light that was leaked from their residences. This will be a true victory for those of us (remember SJ Games?) who are scrutinized by our government without reason: they will have no reason to break into our private homes, steal our legitimately purchased equipment, and go on a "fishing expedition" in search of wrongdoing. No judge could ever let them harass a criminal suspect unless they have exhausted all other avenues and proven to the judge that that suspect is actually engaged in wrongdoing.

    And that is good for us all.

    -s3r

  2. Sunlight==good by los+furtive · · Score: 5, Insightful
    now you might have to do without sunlight to be secure!

    According to the text it's just the opposite:

    In a sufficiently dark environment and with a large enough sensor aperture, practically significant reception distances are possible.

    That's just another reason why I'd rather not subscribe to /. Not only do the editors fail to avoid dupicate stories, those submitting them don't even read them properly.

    --

    I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.

    1. Re:Sunlight==good by _underSCORE · · Score: 3, Insightful

      actually, I think they were talking about working in a totally windowless office.

      Well, at least I'm secure... pasty white, but secure.

      --
      "This is not a company that appears to be bothered by ethical boundaries."
      Attorney General Mike Hatch on Microsoft
    2. Re:Sunlight==good by jamus · · Score: 3, Insightful

      I think he was talking about a building not having any windows to be secure, rather than the amount or kind of light in the room.

      People can't see the LED's if they can't see in your windowsless building. You also won't be able to see the sun :P

    3. Re:Sunlight==good by alexburke · · Score: 3, Insightful

      I think the editor was making a stab about your adversary pointing this geegaw at your window and reading your screen from the high-frequency fluctuations in the light cast into the room by your monitor.

      Hence, you might have to do without sunlight to be secure -- by not having windows in the room.

  3. Next, Randomly Scanning monitors by cyber_rigger · · Score: 2, Insightful

    I can see it now. Random scan order on your monitor. CRTs will (probably), eventually be a thing of the past and replaced with somthing that doesn't have a scan timing to be deciphered.

  4. Re:Ridiculous by ergo98 · · Score: 2, Insightful

    Obviously the content of the paper is beyond (without a serious time investment) about 99.999% of the Slashdot population (definitely including myself), however scanning through it it simply sounds like an absurd premise : A computer monitor is not a flashlight, but is rather an ambient source of light whose net effect on any section of an opposing wall would not, in my opinion, be a "image" but a composite of all of the pixels put together. The timing of the scanlines is a consideration, however given the phosphor decay with the unknown intensity of the drawn pixels (i.e. pixels in the middle of the screen may still be brighter than the pixels being drawn at the top) make the idea of reading from diffuse reflection seemingly absurd for anything other than extremely high contrast test cases.

    As far as the examples given: Let's just say that I'd like to see it in action before believing it...

  5. Computers And Networks Leak Like Sieve by pryan · · Score: 5, Insightful

    I don't know why everyone is so shocked that people can eavesdrop, there is almost zero emmission security in almost anything deployed almost anywhere. Then again, currently, there's no practical need for such secured equipment in a normal civilian environment.

    On of the guys I used to work with would talk about the truck that would park outside their NOC to listen to their ethernet via radio receivers on the truck. One can guess where the truck came from, but the scary part is that this was more than a decade ago. They were doing things that might possibly be of interest to spooks, or perhaps a well-funded competitor.

    It's fun to engage in a fantasy world where government spooks are around every corner, but in reality there's no justification for spending large amounts of money or time to protect yourself from imagined threats like that. I am more worried about somebody breaking into my house to steal my stuff or script kiddies from Germany installing an IRC server on my boxes than the government spying on me.

    Most of us do not have anything that would justify non-criminals to bother with us. Those of us that do usually have the budgets to do something about it. And the criminals are not terribly sophisticated, so common sense and a decent system administrator are usually enough to meet the standard threats. Most criminals are opportunists, if you present a challenge, they'll move on to the guy who has his root password set to "password".

    The people who have highly sensitive stuff know that there's no real security in most hardware and software and work to build environments to protect their stuff. They probably do not buy their hardware from Dell.

    Those of us who really only need to protect our banking and personal information as well as our bandwidth don't need to worry about monitor emission security just yet. For banking information, it's much easier to get that information in much more mundane ways than eavesdropping on your monitor. You should worry about what your local convienence store does with their copy of your credit card receipt.

  6. Re:On the other hand... by SagSaw · · Score: 3, Insightful

    "A _field_ test of this would probabli yield a even worse picture, methinks..."

    The method used is very simple, and could be vastly improved by using better/more sensors, more computing power (for higher order filters/longer convolutions), or more time to experimentally tune the process to the characteristics of the target display. It must be assumed that the big boys (i.e. world governments, maybe some corporations) have access to all three of the above.

    --
    Come test your mettle in the world of Alter Aeon!
  7. A really good point by JMZero · · Score: 3, Insightful

    If someone wanted to steal information from our files, they could do so through the internet.

    Or they could tell the receptionist they're here to see Bob, and then go look at the paper files. I think it would be easier to do the latter.

    But very few would attempt the second kind of attack, because it's hard to say "Oh yeah, I was just checking out security. Just playing." when someone discovers you digging through files on someone else's property.

    In the same way, stealing information via CRT flicker requires too much of a physical commitment for it to gain much popularity I think. At least in most cases - it might be different if your office is accross from a competitor's. Even then, seems like it would be easier just to zoom in and watch them type their password.

    Interesting article anywho.

    .

    --
    Let's not stir that bag of worms...
  8. Re:Ridiculous by ergo98 · · Score: 3, Insightful
    Were you signing up for your cold fission with a sock and a cup of water when that was announced? Sorry but the premise just seems questionable given that computer screens usually have P22 phosphor, which has a decay of, or so I've heard, about 100 usecs for the blue and green, and up to 1000 usec for the red, yet this paper shows their test case shows a 90% decline (to 10%) in about 0.55 usecs...I don't know if they have either a super-short persistence monitor, or they sanded it down, but it doesn't sound comparable to the average monitor that the average person has (and their monitor would give you one hell of a headache at less than about a 500Hz refresh rate... :-)).

    Again, my doubt is regarding non-trivial test cases with a normal computer monitor : Yeah if the raster gun was drawing a line on the opposing wall then it could be read, but it's a question about realistic implementation with real hardware.

  9. A good excuse by LatJoor · · Score: 2, Insightful

    See, my girlfriend is always complaining because I keep the blinds pulled all the time. My computer is right next to the window, and the glare gets to me. Plus, I sleep on the side of the bed that's toward the window. (Small apartment, same room.) So, now I have a good excuse: it's to protect me from government scrutiny. It's better than the old excuse, which is that I'm a vampire.

    --
    I gave up my +1 bonus, don't mod me down!