Slashdot Mirror
CRT Eavesdropping: Optical Tempest
PortalCell writes "LED status monitors may potentially leak data in a few applications, but worse: Markus Kuhn has now revealed (pdf) that it's possible to read your monitor indirectly just by observing how the blue flicker lights up the room! Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!" Hopefully people will also stop submitting the LED story now.
I better get my tin foil hat out, or get a TFT...
"First lesson," Jon said. "Stick them with the pointy end."
how practical/feasable/reliable is it? Wont data be missing if a shadow or a person walks in front of it and make it hard to put together?
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
"Hopefully people will also stop submitting the LED story now."
1 22 4
This article was posted Wednesday. Maybe people will get the clue and read slashdot before they send in submissions and just maybe the editors will do the same as well.
http://slashdot.org/article.pl?sid=02/03/06/122
than CRT's. Kuhn's attack works by rapidly sampling the light intensity as the electron gun whizzes around the CRT screen. With LCD's, the light comes from a constantly-on fluorescent tube and there's not the same type of scanning; the LCD itself reacts much more slowly than a CRT does. The optical emanations just don't have as much bandwidth and can't carry all that info. Of course you still might leak screen contents thru RF emissions from the video card, but that's the usual TEMPEST that we already know about. (Note: this info is from Kuhn's paper).
This technique relies on the raster nature of CRTs
Considering the quality of the output, maby a funky wallpaper and transparent terminals might be enough for all the tin foil hat type persons out there...
A _field_ test of this would probabli yield a even worse picture, methinks...
"First lesson," Jon said. "Stick them with the pointy end."
I've already painted my walls and made a tinfoil hat for my computer - now I'll have to cover my windows with black plastic. Maybe Transmeta knew about this back in the day? Well, I guess it didn't help them, their competitors must have stole their, uh, secrets.
Go Kart Parts - Got to love driving with the ground an in
I see a lot of potential in this sort of technology, though. When the government wants to crack down on terrorism / kiddie porn / the "threat" of the day, they will usually issue tens to hundreds of search warrants and confiscate tons of computer equipment in the name of "finding the bad guys." They will no longer have an excuse to do that, since they will now be able to eliminate potential suspects just by looking at light that was leaked from their residences. This will be a true victory for those of us (remember SJ Games?) who are scrutinized by our government without reason: they will have no reason to break into our private homes, steal our legitimately purchased equipment, and go on a "fishing expedition" in search of wrongdoing. No judge could ever let them harass a criminal suspect unless they have exhausted all other avenues and proven to the judge that that suspect is actually engaged in wrongdoing.
And that is good for us all.
-s3r
Wow, that's really neat. I wonder how good the results of this is compared to say van Eck phreaking (eavsdropping on the EMI emitted by the CRT-gun)?
Regards / ushac
If your server is in a oversized closet opening into an inside room, then the odds of someone actually doing something with it from the outside is pretty slim.
Of course, If you have to worry about a hacker from inside the company, then you have other problems as it is.
"It is a greater offense to steal men's labor, than their clothes"
According to the text it's just the opposite:
That's just another reason why I'd rather not subscribe to /. Not only do the editors fail to avoid dupicate stories, those submitting them don't even read them properly.
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
From the end of page 14:
"Rooms where a significant amount of the ambient light comes from displayed sensitive information should be shielded appropriately, for example by avoiding Windows."
Ha! Take that, Microsoft!
--Cam
This whole thing was pretty obvious. If you've ever driven by houses with televisions near windows when the tv is on, you usually see a blue room. Get some really sensitive piece of equipment, and you could measure the blue content and get an image of their screen. Specially tinted windows could reduce or eliminate this threat, but you could tell from the outside that the windows were tinted such.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
No problem for most slashdot readers, since they are most likely asking: "What is this sunlight you speak of?"
Did you read the article? If not, please do not post that it is ridiculous. What you didnt notice was that the color you get from such an attack is merged only with the ambient color from the room, which could be filtered out by a simple brightness, contrast calculation. The color from the monitor is not merged because different pixels light up at different times in a CRT.
I hereby place the above post in the public domain.
I can see it now. Random scan order on your monitor. CRTs will (probably), eventually be a thing of the past and replaced with somthing that doesn't have a scan timing to be deciphered.
You should really read the story before you post a comment. The pdf describes exactly how this stuff works, and even comes with sample screens which were captured using this method. It really works. There were no problems seeing the 5 fingers on the standard windows hand cursor (the resolution was 640x480 at 85Hz). The image was captured from the "reflections from a nearby wall".
"Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!"
What's this 'sunlight' I keep hearing about?
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
From reading the pdf linked - it sounds like with a sufficiently high sammpling rate ( their words more or less ) it's possible to re-render the text. This should hold true to the way scan-guns work on most monitors.
What's new here? This is almost equivlant to putting a Video Camera infront of a monitor and then hooking the output up to your TV.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Some of us are browsing /. from the workplace (sure beats doing actual work) and cannot use a better browser than IE, and I guess it's your sig that widens the page with a windowed IE (I get scrollbars unless I suppress your post). Have mercy on us poor souls, thank you.
Obviously the content of the paper is beyond (without a serious time investment) about 99.999% of the Slashdot population (definitely including myself), however scanning through it it simply sounds like an absurd premise : A computer monitor is not a flashlight, but is rather an ambient source of light whose net effect on any section of an opposing wall would not, in my opinion, be a "image" but a composite of all of the pixels put together. The timing of the scanlines is a consideration, however given the phosphor decay with the unknown intensity of the drawn pixels (i.e. pixels in the middle of the screen may still be brighter than the pixels being drawn at the top) make the idea of reading from diffuse reflection seemingly absurd for anything other than extremely high contrast test cases.
As far as the examples given: Let's just say that I'd like to see it in action before believing it...
It doesn't have to be. THe intent here was to read the text on the screen. Hence, through the combined output of the raster guns you can get a somewhat greyscale image.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Yeah, I better get my Tin Foil Top out too..
XML is like violence. If it doesn't solve the problem, use more.
I don't know why everyone is so shocked that people can eavesdrop, there is almost zero emmission security in almost anything deployed almost anywhere. Then again, currently, there's no practical need for such secured equipment in a normal civilian environment.
On of the guys I used to work with would talk about the truck that would park outside their NOC to listen to their ethernet via radio receivers on the truck. One can guess where the truck came from, but the scary part is that this was more than a decade ago. They were doing things that might possibly be of interest to spooks, or perhaps a well-funded competitor.
It's fun to engage in a fantasy world where government spooks are around every corner, but in reality there's no justification for spending large amounts of money or time to protect yourself from imagined threats like that. I am more worried about somebody breaking into my house to steal my stuff or script kiddies from Germany installing an IRC server on my boxes than the government spying on me.
Most of us do not have anything that would justify non-criminals to bother with us. Those of us that do usually have the budgets to do something about it. And the criminals are not terribly sophisticated, so common sense and a decent system administrator are usually enough to meet the standard threats. Most criminals are opportunists, if you present a challenge, they'll move on to the guy who has his root password set to "password".
The people who have highly sensitive stuff know that there's no real security in most hardware and software and work to build environments to protect their stuff. They probably do not buy their hardware from Dell.
Those of us who really only need to protect our banking and personal information as well as our bandwidth don't need to worry about monitor emission security just yet. For banking information, it's much easier to get that information in much more mundane ways than eavesdropping on your monitor. You should worry about what your local convienence store does with their copy of your credit card receipt.
Studying in cam.ac.uk, I went to see a talk by Duncan Campbell on modern espionage in October 2000. In the end he asked Markus Kuhn from the audience to explain his latest work, CRT eavesdropping. So I guess 'news' is a relative concept :-)
--
The Cap is nigh. Time to get a fresh new account.
LCD's do not use a scanning electron beam, so the screen display is not made up by the high bandwidth light output. LCD's on the desk top and on laptops are a step in the right direction. The other solution is never use a computer in a dark room. Kick on a few compact flourescent lights. Their high frequency operation and high output goes a long way to adding lots of noise (opticaly) to the environment. Tempest then becomes difficult the same way it is to eavesdrop on the couple whispering to each other a few rows up at a concert.
The truth shall set you free!
Wow, you wanna buy a bridge? I have a couple for sale. Those fingers weren't even in the 4Mhz butterworth filter one (or do you believe it when you see movies when 4 pixels are "processed" into a complex, intricate document), and personally my trusting guess was that it just happened to be on the screen when he did a screenshot for the last two. However, again, I'd believe it if in an uncontrolled situation with a standard wall (you know: one that isn't a mirror) it could be read.
Has any Windows XP source code turned up in there yet?
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
um don't most of us shun sunlight now anyway? heck my drapes never open. I think the dust has glued them shut.
-
It never ceases to amaze me how we paranoids are constantly proven right yet so many refuse to believe that they are out to get us.
Whoops, missed a "pre" there: I meant to say that they weren't in the pre-4Mhz filter one.
I already covered my windows with lead a while back to keep the Illuminati mind rays out!
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
This works only for 10 MBs and lower equipment. IE: phone modems, many NICs, etc... etc...
Man is born free; and everywhere he is in chains.
If someone wanted to steal information from our files, they could do so through the internet.
Or they could tell the receptionist they're here to see Bob, and then go look at the paper files. I think it would be easier to do the latter.
But very few would attempt the second kind of attack, because it's hard to say "Oh yeah, I was just checking out security. Just playing." when someone discovers you digging through files on someone else's property.
In the same way, stealing information via CRT flicker requires too much of a physical commitment for it to gain much popularity I think. At least in most cases - it might be different if your office is accross from a competitor's. Even then, seems like it would be easier just to zoom in and watch them type their password.
Interesting article anywho.
.
Let's not stir that bag of worms...
Again, my doubt is regarding non-trivial test cases with a normal computer monitor : Yeah if the raster gun was drawing a line on the opposing wall then it could be read, but it's a question about realistic implementation with real hardware.
Don't think my cable co is gonna be happy when they find out that somebody else is watching all those adverts that I've only paid enough for myself to watch...
Remember that all screenshots in the documents are just an 8 bit 2D representation of the data. The signal probably has much higher resolution. You may not see the fingers in the first image because the signal level is very low compared to the rest.
This attack looks pretty innocuous when you look at how it's possible to reconstruct the video signal via the EM signal your CRT generates.
_ gc i550525,00.html
http://whatis.techtarget.com/definition/0,,sid9
Forget closing the windows. Better build a grounded copper mesh encases your house.
120 characters isn't enough to explain it.
The monitor gets its sync information over the vga cable but the persons that tries to read the screen using this technology must guess the sync information.
A little software that modulates the h and v sync rate every frame should make it much harder to get a readable image. But I'm not sure if you could still get a stable image on the screen if your change your sync rates every frame. That software protection could be effective because it is very likely that they need to record more than one screen refresh to get a image that has a good enough to read it.
Also high resolutions and high vsync rates in general should make it harder to use that technology. Using non-standard resolutions and sync rates also make the sync information guessing harder.
Jan
I doubt anyone here actually knows about this, but we can all speculate together...
How safe is a LCD monitor with a digital (DVI) connection? The video card is probably not putting out RF emissions (because it's sending a digital signal), and there's no scanning CRT to track. What would be the easiest route to eavesdropping on that?
1) Remove Windows from computer
2) Remove windows from computer room
In order to take advantage of this or the LED trick you have to have some line of sight and the equipment on hand to do it. Every corporate server I've ever worked on has been kept in a locked room somewhere where only a handful of people have access. If someone did manage to get into that room there would be much worse things to worry about than this. On the client side access would be easier but most likely you'd have a user sitting there to deal with. I just don't see why anyone would go to the trouble of trying something like this when there are much easier ways of doing it. Besides the standard everyday break-ins what about all the RF signals a computer gives off? You don't need a line of sight to pick those up. With a powerful enough antennas you might even be able to pick them up miles away! Only ultra secure organizations like the NSA, CIA, etc... would really have to worry about something like this.
In theory, wouldn't it be possible to also defeat this by turning a few old televisions in the room to an unused channel displaying static?
But your screen can probably be read off that tin-foil hat while a Carnivore analyzes the time difference between encrypted packets based on one-handed typing.
Add some light sources that interfere with the signal to be decoded. Get some strobe lights, some Intellibeams. Get a lava lamp or two. Get a mirrorball. Live, work, and code in a dance club.
Or just turn on a particular kind of CRT called a television with the sound off, not in your field of vision but lighting up the room, especially if it's aimed towards the windows. Leave it on any active channel.
"Rooms where a significant amount of the ambient light comes from displayed sensitive information should be shielded appropriately, for example by avoiding Windows."
Well Gee, didn't we already know that?
13 year old white supremacists are shitty web designers.
Is it available in code ?
>;)~!
Just goes to show that computers draw together the people who are nervous and those who actually want to watch those scared people who are putting duct tape over their windows.
Get your Unix fortune now!
If the content of the paper is beyond your comprehension, why are you making statements about it? There's nothing in this paper that any reasonably competent electrical engineering undergraduate wouldn't be able to do in 3 days given access to the equipment (a photomultiplier and a 250MHz digital oscilliscope were the only recording equipment used.)
however scanning through it it simply sounds like an absurd premise : A computer monitor is not a flashlight, but is rather an ambient source of light whose net effect on any section of an opposing wall would not, in my opinion, be a "image" but a composite of all of the pixels put together.
The claim is not that an "image" is projected on the wall. The entirely obvious claim is that the image is encoded in the time domain. RTFA.
The timing of the scanlines is a consideration, however given the phosphor decay with the unknown intensity of the drawn pixels (i.e. pixels in the middle of the screen may still be brighter than the pixels being drawn at the top) make the idea of reading from diffuse reflection seemingly absurd for anything other than extremely high contrast test cases.
You haven't been scanning through the paper too well. Dealing with the impulse response fo the phosphors is what sections 3 and 4 are devoted to. The phosphor response is simply a linear convolution filter. Approximate deconvolution is covered in any undergraduate-level signals class.
I have a positive modifier on Troll. When I mod someone Troll their karma should go UP!
It's already known that your monitor gives out EM waves in a way that with a radio it might be possible to tell what's on the monitor...
It was on slashdot a while ago...
Don't quote me on this.
CRT monitors have been "sniffed" with a special raido setup that allows whats ont he screen to be reconstructed. This is part of the reason antialasing fonts have be come popular because it make the text blury too the sniffers.
...that the computer just crashed nastily (AND that it was running windows) if anything.
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Sure they are... it's very faint, but if you zoom in on it, you'll see a smudge there. I ran the pdf through Ghostscript's pdf2ps, then extracted the uncompressed image to make a PNG. Run it through... The GIMP, and out comes this.
Looks like the original picture has been JPEGged in the process of turning it into a PDF--I bet it'd be even clearer in the original.
if youre monitor and graphics cards had high refresh rates, what if you were to alternate screens of gibberish into the refresh at random cycles, and have some form of lcd shutter goggles that are synced to block the gibberish from you. Anyone think that could work or be feasible?
This
What will this mean for OLEDs? They will be able to read the information directly off of the OLEDs AND the reflections!
Ehek! Ehek! The least you can do is post without being an AC, fuckwit.
i hate pansy republicans
Truely superb work. However, if you notice, red does not come through on the reconstructions. Perhaps this is something to do with his use of P22 phospors, or I missed some important detail.
So, what does this teach us? If you are doing anything illegal on your computer, and you do not want to be caught, stick with red text on a black background. Or, if you want full color on a good CRT, put a hood on it like those turn-of-the-century cameras. Imagine the look on your co-workers face (or friends at a LAN party) when you stick your head under the hood and go to work. Then listen to them laugh as you reach for your coffee and spill it all over the place because you can't see anything. Oh well.
--- At my sig, unleash hell.
Why do people waste time on useless studies? (ok, not useless) This technology would never be something put into use as it is not feasible and will definetely not be reliable to use as a spying tool. The only peopl to pursue this might be the government as they are always looking for ways to find out what people are up to.
God, maybe someone standing behind me can see what's on my CRT too?
Dave
I write a blog now, you should be afraid.
I have a ton of LED's in my computer room. It used to have an odd glow, but some electrical tape over them fixed that. Now, with the exception of my speakers, you can't see any of the LED's - it's now secure from LED sniffing.
:)
So, I just applied the same fix for this, since my monitor faces a window. There is now a few strips (about 30) of electrical tape covering my monitor and the flicker is gone.
I appologize for any typing errors though. Every fix has a downside
I knew there was a good reason to run my screen a 1600x1200x75Hz. Someone would have to be receiving a 144MHz optical signal to get a decent reading of my screen, and from far away it's not easy...
-Adam
According to the article, with the aid of a device called a telescope I can see someone's screen from a long distance. What will they think of next, using a magnifying glass to see thing that are very very small?
From the folks who brought you "that LED story," comes "that CRT story." Check the PDF.
Wrists killing you? Not in 2 weeks. Learn Dvorak.
Can this evesdroping happen witha lcd screen too?
Hacker Media
See, my girlfriend is always complaining because I keep the blinds pulled all the time. My computer is right next to the window, and the glare gets to me. Plus, I sleep on the side of the bed that's toward the window. (Small apartment, same room.) So, now I have a good excuse: it's to protect me from government scrutiny. It's better than the old excuse, which is that I'm a vampire.
--
I gave up my +1 bonus, don't mod me down!
Buy a tinfoil hat, a shotgun, some TV glasses, and a bomb shelter and move to Iceland.
I hate those losers who can't come up with a decent sig. Oh, wait...
Tempest refers to stray electromagnetic radiation that is "read" by appropriate radio equipment nearby, this article is about stray light emissions that are picked up by a photosensor.
...now you might have to do without sunlight to be secure!
What is this sunlight you speak of?
What's "sunlight"?
Sparks:Gadget:Beer Maker
you can evesdrop on conversations by hiding in a bush and using a gadget to read the vibrations of a window from the reflected light on it.
You can pickup cordless, and maybe even cellphones (digital/encryption though).
You can open up the phone junction box outside the building and tap the wires.
You can pick-up the emf from a monitor or tv and reconstruct the image (pretty hard i think).
You can use the earth wire in a house to transmit data from bugs hidden in plugs.
You can use tools like netbus etc.. to view peoples computer over a network.
You can trick security guards with dumb-busty-blondes(tm)*
*I in no way endorse the use of busty-blondes(tm) or in anyway imply that they are all dumb, or that security guards are shallow/thick and are easily seduced.
You can look into windows with telescopes
You can recover badly deleted data from disks
You can packet sniff
You can abuse the fact that your an admin for that network and get anything you want
You can even use money to get information
And now you can use LEDs and monitor flicker too... And the FBI wants _more_ rights to tap you?!?!? how does that work?
This comment does not represent the views or opinions of the user.
The MPAA has just released a memo to all government agencies and private detectives hoping to use this method for surveillance. Apparently you cannot use it while someone is watching a film or other copyrighted work on their monitor as this is a violation of the DMCA. They had originally planned to ban this technology completely, but Bush decided that it would put the USA at a distinct disadvantage in the surveillance world, so they settled for this fix instead.
If you want to protect yourself, have a dvd looping in a small window on your monitor and spies will be forced to stop watching, or face the penalties. This law also applies to Russia and all other countries by order of US international law(tm)
This comment does not represent the views or opinions of the user.
The next thing you know, they'll be telling me that people can get information on what I'm doing, using no specialist equipment just by standing behind me and looking at the screen over my shoulder! I'll have to start doing everything using ssh (Secure SHpectacles).
"E pur si muove!" - attributed to Galileo Galilei, 1564-1642
queue lots of arguments about whether it's blue or green that has the longest wavelength.
so just add a few strobelights, a mirror ball, some other types of disco lighting to the computer room and Voila.. no more security risk and the work environment has been improved...
Now to get this project's captial budget approved in the name of company security...
Do not look at laser with remaining good eye.
Sorry but the premise just seems questionable given that computer screens usually have P22 phosphor, which has a decay of, or so I've heard, about 100 usecs for the blue and green, and up to 1000 usec for the red, yet this paper shows their test case shows a 90% decline (to 10%) in about 0.55 usecs.
Human vision is approximately logarithmic in its perception of intensity. A search with Google should confirm this if you don't believe me. Thus, the exponential drop in that graph is not an exponential drop in the perceived intensity. Furthermore, CRTs work because of persistence of vision. If a CRT were frozen in time, only a fraction of the screen would appear illuminated, even to a human's logarithmic visual system.
I'd like to point at that at this point, all of your specific claims in this thread have been shown to be baseless.
LOL!! Actually, at the time it might well have been! :)
~REZ~ #43301. Who'd fake being me anyway?
I'd be real concerned if pros like you were not keeping my data safe . I will also sleep well at night knowing that the government has no interst in my personal letters and phone calls or my company's records. I will continue to use my high speed internet access without fear of eavesdropping. The constituion and people like you protect me!
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Cover the CRT/LCD of your screen with duct tape. One downside: Duct tape isn't really that transparent, but I guess that was my point... :)
I'd say that the shutter time was about 1/5th of your screen refresh rate. If you take a photo of 100Hz monitor with 10ms shutter time full screen should be visible with equal intensity simply because monitor can draw full screen in 10ms. With 5ms shutter time you get exactly half the screen and so on.
If you constantly measure light level and digitize it every 5 ns [1] you should be able to get pixel intensity value for every single pixel on a 1600x1200@85Hz screen. The problem is to get meaningful readings with 5 ns "shutter time". Fortunately for you, there'll be much extra noise from the light emitted from the still more or less gloving previous pixels and office lighting and whatnot. However, the pixel the CRT is currently drawing is the brightest and this is how it works... if it works. If you want to make it hard for 'them' just use high resolution with high refresh rate. And extra small fonts.
1. Roughtly the time needed per pixel when drawing 1600x1200@85Hz, I calculated this as 1/(1800x1400x85) sec to take CRT scanning into account.
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
My specific problem with the paper, which may or may not be groundless, is that as mentioned the test monitor appeared to have phosphor that decayed 90% in 0.55usecs, yet as mentioned real world monitors, like the one in front of me, decay to 10% from between 80 usecs (and it would vary by pixel as well as it isn't set in stone) - 1000 usecs, so it sounds like a test case that may have been rigged to basically, as mentioned, be a trace gun illuminating the opposing wall. My doubt is the gap between a possibility (there is no one who doubts that if you're reading the ray trace gun that you can determine what image was on the screen), and the practical reality with much longer decay phosphors.
The 500Hz comment was merely joking, but it was based upon the difference between the sample phosphor decay and what people are practically use to.
This whole debate, ironically, is very similar to the LED debate of a few days ago: There are practical limitations of the reponse time of a LED that limit what can be read for anything other than a hypothetical.
The decay curve in my paper is realistic and nothing is "rigged". The monitor is the first one I tried, a very common model, and operated under default conditions. Other decay curves that you might have seen in the literature before (see the phosphor literature that I quoted and discussed) were most likely measured with *significantly* slower photosensors that miss the initial spike in the first microsecond completely. The use of a photomultiplier with around a nanosecond raisetime in this test is critical to obtain this result.