Slashdot Mirror
CRT Eavesdropping: Optical Tempest
PortalCell writes "LED status monitors may potentially leak data in a few applications, but worse: Markus Kuhn has now revealed (pdf) that it's possible to read your monitor indirectly just by observing how the blue flicker lights up the room! Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!" Hopefully people will also stop submitting the LED story now.
"Hopefully people will also stop submitting the LED story now."
1 22 4
This article was posted Wednesday. Maybe people will get the clue and read slashdot before they send in submissions and just maybe the editors will do the same as well.
http://slashdot.org/article.pl?sid=02/03/06/122
than CRT's. Kuhn's attack works by rapidly sampling the light intensity as the electron gun whizzes around the CRT screen. With LCD's, the light comes from a constantly-on fluorescent tube and there's not the same type of scanning; the LCD itself reacts much more slowly than a CRT does. The optical emanations just don't have as much bandwidth and can't carry all that info. Of course you still might leak screen contents thru RF emissions from the video card, but that's the usual TEMPEST that we already know about. (Note: this info is from Kuhn's paper).
Considering the quality of the output, maby a funky wallpaper and transparent terminals might be enough for all the tin foil hat type persons out there...
A _field_ test of this would probabli yield a even worse picture, methinks...
"First lesson," Jon said. "Stick them with the pointy end."
I see a lot of potential in this sort of technology, though. When the government wants to crack down on terrorism / kiddie porn / the "threat" of the day, they will usually issue tens to hundreds of search warrants and confiscate tons of computer equipment in the name of "finding the bad guys." They will no longer have an excuse to do that, since they will now be able to eliminate potential suspects just by looking at light that was leaked from their residences. This will be a true victory for those of us (remember SJ Games?) who are scrutinized by our government without reason: they will have no reason to break into our private homes, steal our legitimately purchased equipment, and go on a "fishing expedition" in search of wrongdoing. No judge could ever let them harass a criminal suspect unless they have exhausted all other avenues and proven to the judge that that suspect is actually engaged in wrongdoing.
And that is good for us all.
-s3r
Wow, that's really neat. I wonder how good the results of this is compared to say van Eck phreaking (eavsdropping on the EMI emitted by the CRT-gun)?
Regards / ushac
If your server is in a oversized closet opening into an inside room, then the odds of someone actually doing something with it from the outside is pretty slim.
Of course, If you have to worry about a hacker from inside the company, then you have other problems as it is.
"It is a greater offense to steal men's labor, than their clothes"
According to the text it's just the opposite:
That's just another reason why I'd rather not subscribe to /. Not only do the editors fail to avoid dupicate stories, those submitting them don't even read them properly.
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
From the end of page 14:
"Rooms where a significant amount of the ambient light comes from displayed sensitive information should be shielded appropriately, for example by avoiding Windows."
Ha! Take that, Microsoft!
--Cam
This whole thing was pretty obvious. If you've ever driven by houses with televisions near windows when the tv is on, you usually see a blue room. Get some really sensitive piece of equipment, and you could measure the blue content and get an image of their screen. Specially tinted windows could reduce or eliminate this threat, but you could tell from the outside that the windows were tinted such.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
No problem for most slashdot readers, since they are most likely asking: "What is this sunlight you speak of?"
Forget the hat, in times like theese only a Full tinfoil body suit will do!
Did you read the article? If not, please do not post that it is ridiculous. What you didnt notice was that the color you get from such an attack is merged only with the ambient color from the room, which could be filtered out by a simple brightness, contrast calculation. The color from the monitor is not merged because different pixels light up at different times in a CRT.
I hereby place the above post in the public domain.
I can see it now. Random scan order on your monitor. CRTs will (probably), eventually be a thing of the past and replaced with somthing that doesn't have a scan timing to be deciphered.
"Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!"
What's this 'sunlight' I keep hearing about?
Knunov
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
Obviously the content of the paper is beyond (without a serious time investment) about 99.999% of the Slashdot population (definitely including myself), however scanning through it it simply sounds like an absurd premise : A computer monitor is not a flashlight, but is rather an ambient source of light whose net effect on any section of an opposing wall would not, in my opinion, be a "image" but a composite of all of the pixels put together. The timing of the scanlines is a consideration, however given the phosphor decay with the unknown intensity of the drawn pixels (i.e. pixels in the middle of the screen may still be brighter than the pixels being drawn at the top) make the idea of reading from diffuse reflection seemingly absurd for anything other than extremely high contrast test cases.
As far as the examples given: Let's just say that I'd like to see it in action before believing it...
I don't know why everyone is so shocked that people can eavesdrop, there is almost zero emmission security in almost anything deployed almost anywhere. Then again, currently, there's no practical need for such secured equipment in a normal civilian environment.
On of the guys I used to work with would talk about the truck that would park outside their NOC to listen to their ethernet via radio receivers on the truck. One can guess where the truck came from, but the scary part is that this was more than a decade ago. They were doing things that might possibly be of interest to spooks, or perhaps a well-funded competitor.
It's fun to engage in a fantasy world where government spooks are around every corner, but in reality there's no justification for spending large amounts of money or time to protect yourself from imagined threats like that. I am more worried about somebody breaking into my house to steal my stuff or script kiddies from Germany installing an IRC server on my boxes than the government spying on me.
Most of us do not have anything that would justify non-criminals to bother with us. Those of us that do usually have the budgets to do something about it. And the criminals are not terribly sophisticated, so common sense and a decent system administrator are usually enough to meet the standard threats. Most criminals are opportunists, if you present a challenge, they'll move on to the guy who has his root password set to "password".
The people who have highly sensitive stuff know that there's no real security in most hardware and software and work to build environments to protect their stuff. They probably do not buy their hardware from Dell.
Those of us who really only need to protect our banking and personal information as well as our bandwidth don't need to worry about monitor emission security just yet. For banking information, it's much easier to get that information in much more mundane ways than eavesdropping on your monitor. You should worry about what your local convienence store does with their copy of your credit card receipt.
LCD's do not use a scanning electron beam, so the screen display is not made up by the high bandwidth light output. LCD's on the desk top and on laptops are a step in the right direction. The other solution is never use a computer in a dark room. Kick on a few compact flourescent lights. Their high frequency operation and high output goes a long way to adding lots of noise (opticaly) to the environment. Tempest then becomes difficult the same way it is to eavesdrop on the couple whispering to each other a few rows up at a concert.
The truth shall set you free!
um don't most of us shun sunlight now anyway? heck my drapes never open. I think the dust has glued them shut.
-
I already covered my windows with lead a while back to keep the Illuminati mind rays out!
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
This works only for 10 MBs and lower equipment. IE: phone modems, many NICs, etc... etc...
Man is born free; and everywhere he is in chains.
I don't see how the problem would be any worse for this technique than for simply looking at a CRT through binoculars. If someone blocks the light, you won't be able to read the screen for a few seconds. Oh well. Besides, since this technique can be used on diffusely reflected light from a wall, it would be MORE resistant to obstructions than direct observation, because the person's shadow would have to obstruct almost all of the light coming from the CRT to keep it from reflecting off of other objects, instead of the person just blocking direct line of sight from the CRT to you. In fact, the whole point of the technique is that it doesn't require a direct line of sight to the screen to read it.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
If someone wanted to steal information from our files, they could do so through the internet.
Or they could tell the receptionist they're here to see Bob, and then go look at the paper files. I think it would be easier to do the latter.
But very few would attempt the second kind of attack, because it's hard to say "Oh yeah, I was just checking out security. Just playing." when someone discovers you digging through files on someone else's property.
In the same way, stealing information via CRT flicker requires too much of a physical commitment for it to gain much popularity I think. At least in most cases - it might be different if your office is accross from a competitor's. Even then, seems like it would be easier just to zoom in and watch them type their password.
Interesting article anywho.
.
Let's not stir that bag of worms...
Again, my doubt is regarding non-trivial test cases with a normal computer monitor : Yeah if the raster gun was drawing a line on the opposing wall then it could be read, but it's a question about realistic implementation with real hardware.
The monitor gets its sync information over the vga cable but the persons that tries to read the screen using this technology must guess the sync information.
A little software that modulates the h and v sync rate every frame should make it much harder to get a readable image. But I'm not sure if you could still get a stable image on the screen if your change your sync rates every frame. That software protection could be effective because it is very likely that they need to record more than one screen refresh to get a image that has a good enough to read it.
Also high resolutions and high vsync rates in general should make it harder to use that technology. Using non-standard resolutions and sync rates also make the sync information guessing harder.
Jan
1) Remove Windows from computer
2) Remove windows from computer room
Just goes to show that computers draw together the people who are nervous and those who actually want to watch those scared people who are putting duct tape over their windows.
Get your Unix fortune now!
...that the computer just crashed nastily (AND that it was running windows) if anything.
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Sure they are... it's very faint, but if you zoom in on it, you'll see a smudge there. I ran the pdf through Ghostscript's pdf2ps, then extracted the uncompressed image to make a PNG. Run it through... The GIMP, and out comes this.
Looks like the original picture has been JPEGged in the process of turning it into a PDF--I bet it'd be even clearer in the original.
Don't many video cards with digital connections also have standard analog connections? I seem to remember that quite a few of the ones that I've seen have.
If so, do both connectors output the signal even if only one is in use?
-kwishot
It gets even better...
Run this Linux program and beam music all over the house, by turning your monitor into a radio station (modulating it's signal). It's a pretty convincing proof for those who doubt the "story" about reading your CRT from a properly equipped van down the street.
http://www.erikyyy.de/tempest/
God, maybe someone standing behind me can see what's on my CRT too?
Dave
I write a blog now, you should be afraid.
I have a ton of LED's in my computer room. It used to have an odd glow, but some electrical tape over them fixed that. Now, with the exception of my speakers, you can't see any of the LED's - it's now secure from LED sniffing.
:)
So, I just applied the same fix for this, since my monitor faces a window. There is now a few strips (about 30) of electrical tape covering my monitor and the flicker is gone.
I appologize for any typing errors though. Every fix has a downside
I knew there was a good reason to run my screen a 1600x1200x75Hz. Someone would have to be receiving a 144MHz optical signal to get a decent reading of my screen, and from far away it's not easy...
-Adam
pet peeve:
The video card is probably not putting out RF emissions
Yes it is. All signals of any kind that are not D.C. and have sufficiently fast frequency emit RF, and any kind of switch to on or off (digital) WILL emit RF.
That includes flicking the power switch on ANY device, and the digital signals going across your cable.
At any rate, this isn't the problem with the method described, the problem is the LIGHT from the CRT, since it can be sampled and dupicated.
LCDs do not do this, because they don't scan, so your LCD is safe from this kind of eavesdropping.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
the difference is, as you would no doubt know if you actually HAD read the article, that this attack allows the reconstruction of the CRT image from reflected, diffuse light; the only information an attacker needs is the glow of the monitor on the walls of the room.
ever looked in a window down the street late at night and seen the whole room lit up by a television?
See, my girlfriend is always complaining because I keep the blinds pulled all the time. My computer is right next to the window, and the glare gets to me. Plus, I sleep on the side of the bed that's toward the window. (Small apartment, same room.) So, now I have a good excuse: it's to protect me from government scrutiny. It's better than the old excuse, which is that I'm a vampire.
--
I gave up my +1 bonus, don't mod me down!
Tempest refers to stray electromagnetic radiation that is "read" by appropriate radio equipment nearby, this article is about stray light emissions that are picked up by a photosensor.
you can evesdrop on conversations by hiding in a bush and using a gadget to read the vibrations of a window from the reflected light on it.
You can pickup cordless, and maybe even cellphones (digital/encryption though).
You can open up the phone junction box outside the building and tap the wires.
You can pick-up the emf from a monitor or tv and reconstruct the image (pretty hard i think).
You can use the earth wire in a house to transmit data from bugs hidden in plugs.
You can use tools like netbus etc.. to view peoples computer over a network.
You can trick security guards with dumb-busty-blondes(tm)*
*I in no way endorse the use of busty-blondes(tm) or in anyway imply that they are all dumb, or that security guards are shallow/thick and are easily seduced.
You can look into windows with telescopes
You can recover badly deleted data from disks
You can packet sniff
You can abuse the fact that your an admin for that network and get anything you want
You can even use money to get information
And now you can use LEDs and monitor flicker too... And the FBI wants _more_ rights to tap you?!?!? how does that work?
This comment does not represent the views or opinions of the user.
so just add a few strobelights, a mirror ball, some other types of disco lighting to the computer room and Voila.. no more security risk and the work environment has been improved...
Now to get this project's captial budget approved in the name of company security...
Do not look at laser with remaining good eye.
Sorry but the premise just seems questionable given that computer screens usually have P22 phosphor, which has a decay of, or so I've heard, about 100 usecs for the blue and green, and up to 1000 usec for the red, yet this paper shows their test case shows a 90% decline (to 10%) in about 0.55 usecs.
Human vision is approximately logarithmic in its perception of intensity. A search with Google should confirm this if you don't believe me. Thus, the exponential drop in that graph is not an exponential drop in the perceived intensity. Furthermore, CRTs work because of persistence of vision. If a CRT were frozen in time, only a fraction of the screen would appear illuminated, even to a human's logarithmic visual system.
I'd like to point at that at this point, all of your specific claims in this thread have been shown to be baseless.
LOL!! Actually, at the time it might well have been! :)
~REZ~ #43301. Who'd fake being me anyway?
Cover the CRT/LCD of your screen with duct tape. One downside: Duct tape isn't really that transparent, but I guess that was my point... :)
I'd say that the shutter time was about 1/5th of your screen refresh rate. If you take a photo of 100Hz monitor with 10ms shutter time full screen should be visible with equal intensity simply because monitor can draw full screen in 10ms. With 5ms shutter time you get exactly half the screen and so on.
If you constantly measure light level and digitize it every 5 ns [1] you should be able to get pixel intensity value for every single pixel on a 1600x1200@85Hz screen. The problem is to get meaningful readings with 5 ns "shutter time". Fortunately for you, there'll be much extra noise from the light emitted from the still more or less gloving previous pixels and office lighting and whatnot. However, the pixel the CRT is currently drawing is the brightest and this is how it works... if it works. If you want to make it hard for 'them' just use high resolution with high refresh rate. And extra small fonts.
1. Roughtly the time needed per pixel when drawing 1600x1200@85Hz, I calculated this as 1/(1800x1400x85) sec to take CRT scanning into account.
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
Those items you mention are all social and political issues, there're not really technological issues.
My specific problem with the paper, which may or may not be groundless, is that as mentioned the test monitor appeared to have phosphor that decayed 90% in 0.55usecs, yet as mentioned real world monitors, like the one in front of me, decay to 10% from between 80 usecs (and it would vary by pixel as well as it isn't set in stone) - 1000 usecs, so it sounds like a test case that may have been rigged to basically, as mentioned, be a trace gun illuminating the opposing wall. My doubt is the gap between a possibility (there is no one who doubts that if you're reading the ray trace gun that you can determine what image was on the screen), and the practical reality with much longer decay phosphors.
The 500Hz comment was merely joking, but it was based upon the difference between the sample phosphor decay and what people are practically use to.
This whole debate, ironically, is very similar to the LED debate of a few days ago: There are practical limitations of the reponse time of a LED that limit what can be read for anything other than a hypothetical.
Gee, thanks troll. I thought I was talking about eavesdropping, and that the parent post was trying to tell me not to worry, that no one was really interested in insignificant little me especially with hard to use toys like optical tempest. The things I pointed to make blue light chasing unneeded but also show intent to look into everyone's life strong enough to use optical tempest. Of course the article said that optical tempest was good from 200 feet, so it would work from a van on the curb or a house next to yours. Sleep well.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.