Slashdot Mirror
CRT Eavesdropping: Optical Tempest
PortalCell writes "LED status monitors may potentially leak data in a few applications, but worse: Markus Kuhn has now revealed (pdf) that it's possible to read your monitor indirectly just by observing how the blue flicker lights up the room! Forget taping up LEDs or living in a metal box - now you might have to do without sunlight to be secure!" Hopefully people will also stop submitting the LED story now.
than CRT's. Kuhn's attack works by rapidly sampling the light intensity as the electron gun whizzes around the CRT screen. With LCD's, the light comes from a constantly-on fluorescent tube and there's not the same type of scanning; the LCD itself reacts much more slowly than a CRT does. The optical emanations just don't have as much bandwidth and can't carry all that info. Of course you still might leak screen contents thru RF emissions from the video card, but that's the usual TEMPEST that we already know about. (Note: this info is from Kuhn's paper).
According to the text it's just the opposite:
That's just another reason why I'd rather not subscribe to /. Not only do the editors fail to avoid dupicate stories, those submitting them don't even read them properly.
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
From the end of page 14:
"Rooms where a significant amount of the ambient light comes from displayed sensitive information should be shielded appropriately, for example by avoiding Windows."
Ha! Take that, Microsoft!
--Cam
I don't know why everyone is so shocked that people can eavesdrop, there is almost zero emmission security in almost anything deployed almost anywhere. Then again, currently, there's no practical need for such secured equipment in a normal civilian environment.
On of the guys I used to work with would talk about the truck that would park outside their NOC to listen to their ethernet via radio receivers on the truck. One can guess where the truck came from, but the scary part is that this was more than a decade ago. They were doing things that might possibly be of interest to spooks, or perhaps a well-funded competitor.
It's fun to engage in a fantasy world where government spooks are around every corner, but in reality there's no justification for spending large amounts of money or time to protect yourself from imagined threats like that. I am more worried about somebody breaking into my house to steal my stuff or script kiddies from Germany installing an IRC server on my boxes than the government spying on me.
Most of us do not have anything that would justify non-criminals to bother with us. Those of us that do usually have the budgets to do something about it. And the criminals are not terribly sophisticated, so common sense and a decent system administrator are usually enough to meet the standard threats. Most criminals are opportunists, if you present a challenge, they'll move on to the guy who has his root password set to "password".
The people who have highly sensitive stuff know that there's no real security in most hardware and software and work to build environments to protect their stuff. They probably do not buy their hardware from Dell.
Those of us who really only need to protect our banking and personal information as well as our bandwidth don't need to worry about monitor emission security just yet. For banking information, it's much easier to get that information in much more mundane ways than eavesdropping on your monitor. You should worry about what your local convienence store does with their copy of your credit card receipt.
1) Remove Windows from computer
2) Remove windows from computer room