Slashdot Mirror
Laptops And Flat Panels Now Vulnerable to Van Eck Methods
An anonymous reader writes "Using radio to eavesdrop on CRTs has been around since the 80s, but Cambridge University researchers have now shown that laptops and flat-panel displays are vulnerable too. Using basic radio equipment and an FPGA board totaling less than $2,000 it was possible for researchers to read text from a laptop three offices away. 'Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximize the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.'"
"I asked if you could alter a device to make it easier to spy on."
Okay, see, that's the type of questions the NSA likes to see its potential employees ask. Any other type of person would ask if you could alter a device to make it *harder* to spy on.
I think this means they've always been vulnerable, but no one knew. It's not like someone turned on the Vulnerable switch.
*grabs tinfoil hat and hides under desk*
Best Windows Freeware
For example, adding small pieces of wire or cable to a display could make a big difference.'"
So adding an antenna makes it broadcast better meaning you can pick it up easier. Shocking. Very useful for remote spying. Step one, add an antenna to the target's display.
My Suburban burns less gasoline than your Prius.
I wonder if they're just reading the signals that are being sent over the wire? With analog signals this is pretty easy to to, but with DVI it's a lot harder, and way harder still if the signal is encrypted. With the future of display technologies appearing to be heading as close as possible to encryption to the eyeballs, it makes me wonder how long this will remain viable.
I read the internet for the articles.
The title given to this story on slashdot is awful, especially for a geek news site. Haven't we already established that obscurity is not security? And about a million times over?
An unpublished vulnerability is no less real than one that has been announced, and is in fact more dangerous because the lack of an announcement leads to a false feeling of security. The real story is that your laptop has in fact been vulnerable to van eck phreaking for years and year, not just "now".
It's a good thing I haven't had faith in slashdot for a long time now, or I'd be really disappointed. As it is, I'm just pointing this out for those who didn't already notice.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Would be to shoot towards anyone carrying a $2000 FPGA board around for no good reason!
Uh oh, metal hinges pratically imply "ThinkPad"...
;-)
But then, it is pretty obvious that using the notebook ungrounded IS asking for trouble anyway as far as signal interference goes, and those hinges are earth-grounded if you have the notebook plugged to wall power using a three-prong power supply.
I think I will keep my ThinkPad instead of using cheezy plastic crap, and use low-contrast, antialiased round fonts if I feel secretive. Must also remember to tape over all network leds, and turn on the loud white-noise generator, as both the sounds of a keyboard and the flickering of the leds can give away way too much information
Maybe this technique could be used to bypass that DRM stuff and capture movies etc right from the screen, how do you think about it?
"i have a friend, ehem, who is worried about this kind of hack, ehem, and i was, i mean he was, wondering what he could do to..."
"guard against it?"
"no, no, what he could do to... um, make sure the 'bad guys' haven't modified his system, ehem, like, what would a bad guy do to make this work better so he could do it, i mean, so he could have an idea of the kind of modifications to look out for?"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I remember seeing a demo of this back in the 80's. I always had a suspicion this was possible, however some people still balk at this as 'science fiction'. I can assure you it's not. It's this kind of thing that should be waking up manufactures to the perils of shitty RFI design. Spewing broad band spectrum pollution not only causes radio interference, but also opens you to security problems.
Not to go slightly off topic here, but BPL (broadband over power wires) providers ought to see this as a wakeup call. Coupling broad band ODMF signals on widely spaced wires hanging 40+ feet in the air, radiating like antennas is a HUGE security issue. Not only can BPL be jammed with something as simple as a CB or Amateur radio transceiver, but a creative individual could use similar methods to monitor BPL signals.
"I bow to no man" - Riddick
Russia and the U.S. had been snooping VDT images since the early 1970's or earlier. van Eck just made it public by publishing a paper on how to do it with $100 of Radio Shack parts. cryptome.org forum postings include a reference to a 1973 book.
Parent line, then my reply, appears below:
I read that no less than three times and still believed that it said "receiver".
I apologize for this part of my comment.
Looks like my eyes are failing me, guess I'll go home (for those wondering, yes, I do come in pretty early.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
cause I was just wondering about this very topic yesterday. :-S
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
So the hack that is mentioned in Cryptonomicon is pure sci-fi? It says that van-eck was possible on a laptop because of some backwards compatibility issue, in which laptops still refreshed the display 60 times per second or so, even if they didn't need to, so you could pick up on that radiation or something for the phreaking. It wasn't really possible until now? Or is this a different method where you can spy on LCD's using some method specific to LCD's?
Go hug some trees.
Long before Van Eck publicly demonstrated it, the NSA was well aware of the problem. It extends beyond the CRT. NSA created the TEMPEST program to reduce radiation of information.
Simply put, change the voltage level or current level of a device and you generate a signal that is conducted along wires and other conductive paths and radiated from those conductive paths. Interception of the conducted or radiated changes can be used to re-create
the original information. Wether the information is in serial, paralell or raster format it is a relatively trivial problem given some time and computing resources.
Is it a problem for most of us? Given that someone will try the easiest ways to get the information, using Van Eck or other types of TEMPEST
attacks is much less likely than social engineering or other means to get your information.
So this is what all those fancy 3D desktops are good for. Just set wobbliness and fuzzy effects to max and no one will be able to make sense of what is going on on your screen (including you - trust no one).
It's late Friday afternoon, Martin.... time to do what your Slashdot nick suggests... and go have a drink!!! (I'm about to have a nice tall glass of Don Julio Reposado myself)
BTW, the perfect way to avoid Van Eck phreaking of your laptop/lcd monitors was detailed in Stephenson's Cryptonomicon many years ago.... just write a driver that flashes morse code on the keyboard Scroll Lock LED instead, and sends useless gibberish as text to the screen. That'll really mess with the spooks' heads.
BEHOLD ! I am TEMPEST, thy LORD and MASTER ! Bow before ME ! Fear ME ! I see ALL*!
*its a bit fuzzy, like snowy tv - BUT I SEE ALL !! FEAR ME !!!
'nuff said.
I can spend $2000 to be able to read my laptop that's across the room while I'm still in bed. Now all I need is some sort of glove I can hook up to a robotic arm so it can type for me. Or better yet, I can invent a fing-longer!
Sigh If only they would make a portable version of my laptop...
Make that the scroll-lock LED on my keyboard. It flashes in Morse Code to me!
The NSA, and other intelligence agencies, have been exploiting stuff like this for more than fifty years. Technology changes, but the fundamental principle, interception of EM radiation stays the same. You can even spy on certain models of electric typewriters. If you ever get the chance to look at TEMPEST certified hardware, you will see the lengths that the engineers have to go to, to shield and filter an electronics device. Besides the box itself, all cables have to be well shielded and filtered, or they just function as antennas for your sensitive data.
Mea navis aericumbens anguillis abundat
Step one, cut a hole in a box Step two, put your antenna in that box Step three, make her open the box Whoops, scratch that last step
All I see is indecipherable garbage. :)
Diaper-wielding man sneaks into NASA/Houston, wants release of girlfriend astronut of same persuation or he says he will remove the dirtied diaper.
LCDs and plasma have been favored by DMCA people as a way to beat the analog hole. Here's another nail in that coffin.
Contribute to civilization: ari.aynrand.org/donate
You know... I might have to re-read this book soon.
This shouldn't be too surprising to anyone who's tried listening to audio output from a typical laptop. You can hear everything, including processor load, disk access, mouse or window movements (the sound noticeably changes depending on the cursor, hovering over a text area sounds differently than over the desktop or window resize areas) and typing. I'm sure some of that audio noise also escapes as electromagnetic emission which, can be picked up with appropriate equipment.
I'm not an expert on Van Eck phreaking, so it's possible that the previously used methods were incapable of detecting this for whatever reason, but the presence of these emissions and the possibility of spying shouldn't be surprising.
This reminds me of the scheduled tinfoil supplies delivery I need to take care of...
The protagonist (not Hiro Protagonist, the other protagonist) has to write code on a display that he knows is Van Eck phreaked. He has to write code so that the people looking have no idea what he's writing so he has to obfuscate in many clever ways--I forget how.
The Commodore 64 Blue Book had a section on this. It talked about how to shield your environment by enclosing a room with screen and grounding it. It also mentioned to coat your power cords with a certain paint high in sulfur content. I also suggest taking measures to prevent access and emissions from your grounding rod, if you're connected to a public utility. That also prevents your light bulb from being used as a microphone.
My first reaction was "WTF did the relatively recent end-of-civ poll go" and then when I voted it showed this article's comment under the poll results, which was another WTF moment. When was this feature added/first used? I can already see great use for the article polls, for example the editors could try to guess the popular tags and use them for poll items.
Here's my current desktop.
--Residential Interior Design
This really isn't new news; the work was done in 2004 and presented as
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
as well as countermeasures; randomising the low-order bit of all your pixels anew in every frame would be ideal, but using colours which have the same number of bit transitions in 'black' and 'white' works almost as well. Looks a bit ugly to have your screen entirely in off-greens and off-pinks, but that's the price of security.
HDCP actually helps against this kind of thing, because there are no long lengths of wire carrying unencoded video signal.
I was messing around with an AM radio near my PC just 2 hours ago trying to get a useful signal. I noticed something funny going on - every time I moved the mouse making its LED light up, the radio got a strong buzzing noise until the LED powered down again. It's not even a wireless mouse.
No one knew? That's utter nonsense. I noticed that my laptop lcd monitor would cause interferce at times on my FM radio seven years ago, depending on what it was doing, and what station I was listening to.
That's a pretty big red flag that these suckers were subject to Van Eck.
And if the NSA could hear Scott McNealy's friggin keyboard outside in the parking lot (as they later told him during a meeting in the late 1990's), you'd better believe that the NSA has had LCD monitor reading capability for at least that long.
Just because it's not in the popular press, or published papers, hardly means that no one knew. The only thing surprising here is that it took so long for someone to get a paper out it.
I don't mean to disparage the researchers, who deserve a lot of credit to finally bringing this to public knowledge, but this is really low-hanging fruit.
Like the Sony Trinitron CRTs?
I never bought their explanation for the "aperture grill" and "damper wires". Considering this kind of EM surveillance, they make perfect sense however.
My ~1995 laptop (486? Pentium 60? MHz) would display on my parents' TV screen when I visited them. (No, I didn't live in their basement, I'd just avoided having a TV in my house back then:-) It wasn't in sync, so there were three partial screen images scrolling slowly, and there weren't enough pixels, but it was readable enough to be obvious that a real receiver would be able to display the output cleanly. My guess was that the culprit wasn't really the LCD drivers, but the auxiliary VGA port on the back of the laptop; I no longer remember if I tried turning that on and off, or exactly which laptop model it was, but Google probably knows.
The real difficulties are getting enough focus to only grab signals from the laptop you're looking for, and not all the other CRTs and TVs and LCDs around, which is why you're reading an interview with an expert like Markus Kuhn and not just some 1337 k1dd13z, and doing so without parking a big antennaful van on the street in front of your target.
If you look at the real security threats here, there are two sides -
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But how soon until they can read the keyboard LEDs? Then I'll really be screwed.
(I don't care if it was fiction -- it was a good introduction for a lot of people to basic information security concepts, including those who might otherwise not get or suffer through one.)
Of course you meant Holodeck, right? /disable the safety protocols, Professor Moriarty!
I recently finished a research project on this subject and have actually had a chance to read a few of Kuhn's paper. From what I've seen and what other researchers have done, not a lot of thought has gone into making most equipment EMSEC compatible, so I'm not at all surprised by this finding. Most of the time, having "secure" equipment isn't required as very few individuals beyond large government entities have the money, resources and knowledge to be able to conduct such an attack. Extensive design and testing is required to ensure that equipment conforms to EMSEC standards and most companies are simply not willing to spend the extra money to certify their equipment for something very few people know anything about. According to Kuhn (see Security Limits for Compromising Emanations - warning PDF) emissions levels need to be as much as six orders of magnitude lower to prevent unauthorized snooping on most modern equipment.
Another paper that is very relevant to this article is from a Japanese group who did research on the same topic (LCDs, laptops, etc) A Trial of the Interception of Display Image using Emanation of Electromagnetic Wave - again, a PDF. What's interesting to note from this paper is the fact that the researchers found that minor inconsistencies in the production of the equipment caused slightly different synchronous frequencies to be detected. This means in an office it could be possible for an attacker to "choose" which monitor they wish to look at by its frequency signature.
Another way around their DRM...
Who needs VNC or networked X any more??
But then, it is pretty obvious that using the notebook ungrounded IS asking for trouble anyway as far as signal interference goes, and those hinges are earth-grounded if you have the notebook plugged to wall power using a three-prong power supply.
Grounding and shielding are two different issues.
At the frequencies involved, grounding the device is no help at all. (In fact the ground wiring may act as a helper antenna.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
For a while I had an old ham radio sitting on my desk(receive only) and when fiddling around with it at certain frequencies I would hear patterns of beeps and for a long time I wondered what these were and then I finally noticed that the beeps synced up perfectly with the activity LED on my router. Granted it would take a lot more then what I had to actually decipher any useful information from it.
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
I've run tempest on my dvi flat panel, my crt, and with no monitor plugged in. It aint the monitor generating the rf, its the video card.... I knew this when I was 17, and they get press for writing a paper on it?
Chances are any disscution on Slashdot will degrade into a flamewar about ID/Christianity within 14 posts.
Come on! There was a paper on this exact topic presented at Privacy Enhancing Technologies 2004. Don't you guys keep up with your journals?
Kuhn, Markus G. "Electromagnetic Eavesdropping Risks of Flat-Panel Displays." Privacy Enhancing Technologies,
4th International Workshop, PET 2004, Toronto, Canada, May 26-28, 2004. Revised Selected Papers. Springer.
Paper link:
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
And author homepage:
http://www.cl.cam.ac.uk/~mgk25/
IIRC, this paper has some really interesting stuff that totally debunks the notion that laptops, or indeed LCDs in general, are more TEMPEST-safe than CRTs. I believe the high speed digital signals (which, in laptops, transit proprietary buses but are no more protected for it, and are in fact less shielded than external cables) actually make the attacks *easier.* There's also interesting stuff about introducing interference into the signals to distort evesdropping, but I think it does not work satisfactorily. Basically, until we all use encrypted DVI (shudder--concieved to limit the ablility of consumers to interact with and utilize their own equipment by the MAFIAA--but still possibly useful for privacy), our video signals are being broadcast constantly. Some irony there...
The ones which say AMD this, NVidia that, ATI this, Intel that...? What about those? I bet they help in eavesdropping. I pulled them off immediately.
the thing I don't get is... The guy's apparently successfully reading very weak signals, why can't we use this to create much faster/more stable wifi connections?
The radiation goes through the cables of your monitor; wether lcd, plasma or cathode, the signal always has to travel through the wires as electrical current. Just like the hospital can read out the electrical paths on your brain a device can be used to read the electrical current through your wires.
...
These Van Eck methods are based on amplifying these "leaky" signals; just like a television could receive signal by just running a cable next to cable-tv or neon light goes lit under high powerlines ; leakage
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I've definitely experienced this problem - my laptop loves to sabotage the local NPR station and slight changes in the angle of the screen seem to have large effects. What impresses me is that the detector can select output from one screen over all others. In the New Scientist article, Kuhn pulls a screen from 25 meters away at a public conference. How many other screens were around and how was this selection achieved? Would a possible countermeasure be to have a second screen playing white noise (or some other noise generator) nearby?
--- I am NaN, I am a free man!
A monitor with VNC built right in.
boycott slashdot February 10th - 17th check out: altSlashdot.org
For various reasons, I once saw a demo of an early version of this sort of eavesdropper at a certain place and time. The person giving the demo asked where we thought the "leak" was that made it all possible. Everyone automatically responded "the crt". So he turned it off... absolutely no change. Next guess... the cable? Unplugged it. Bit more static, but still perfectly legible. The culprit? The video card. Lot's of nice, unterminated little transmition lines in there - plug whatever you damn well want into it, if you're using an average video card in a poorly shielded case, what's on your screen is being transmitted for all to see.
Of course, whever anyone would actually be bored enough to bother watching is another question entirely.
These Van Eck methods are based on amplifying these "leaky" signals;
Yes, but the cryptonomicon was right in an important respect:
Picking up these leaks could easily be made a whole lot harder if it was
given any thought at all in the design process.
The panedisplay could easily have pixels that remember their own state, so
information only needs to be sent to the pixes that change, and only when
they change. You could still pick up the signals remotely, but it would
have to catch them at the right moment (no second chances), and then figure
out where on the screen they are destined. In contrast, normal systems
today are practically made for eavesdropping, with the whole image is
updated (i.e. broadcast) many times a second, with pixel positions
directly encoded in the timing.
Another easy fix would scramble the pixel updates in a screen change, adressing
the destination pixels in random order rather than in strict sequence. The
hacker would then need to know which wire each signal he picked up came from
in order to descramble the frame, rather than just stack them up in sequence.
Measures like these might not be completely watertight, but it could move
the challenge from easy, to very hard indeed for your average basement
hacker.
sudo ergo sum
If such measure need to be implemented; why not use encrypted streaming as signal with pki? This key doesn't need to be variable; it can change every 15 minutes or so. Within the time this key got decrypted, the new one is already sent to the monitor (if the cipher is worthy enough); which renders the previous one completely useless + which will make it a hell to hack such system because it's a continuesly race against time..
;)
There could be even an extra button on the screen which could say "authenticate" or so; which would generate a new
key directly on demand. This would require an extra module in the monitor for decrypting signals and an extra cpu on the graphics card (or loopback card like those voodoo cards had) which would encrypt the streaming signal...
Of'course; when using a loopback card this needs to be -inside the case- since the loopback is leaky too if external and not sufficiently shielded.
What I still wonder is: what if super super supershielded cable gets used? Or when you put lead alloy around your cables ? (not very environmentally friendly but you get the scope...)
Remember; when you invent such device, prior art lies here, just don't call them monster cables mkay?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Nonillion said:
"however some people still balk at this as 'science fiction'. I can assure you it's not. It's this kind of thing that should be waking up manufactures to the perils of shitty RFI design. Spewing broad band spectrum pollution not only causes radio interference, but also opens you to security problems."
Amen, Brother.
And when it "science fictions" across your purview - if you catch it, it becomes pretty real.
Because these techniques aren't at your favorite |-|ol3 'r US exploit sites. (Why do you think they call them elite?)
These guys "get it" -
"The Air Force [US] now dominates both air and space above a theater of operations, so it has "cross-domain dominance" there. But the Air Force must gain dominance in cyberspace as well, because cyberspace superiority is now a prerequisite to effective operations in all other warfighting domains."
The "electromagnetic spectrum" is pliable, a Faraday cage is your only refuge.
Attacks involve using RF in ways not usually used; for data over RF or VHF etc. - Packet radio, "radio modem".
It IS rocket science.
It appears they understand that.
This is Key:
"According to Dr. Kass, cyberspace is neither a mission nor an operation. Instead, cyberspace is a strategic, operational and tactical warfighting domain -- a place in which the Air Force or other services can fight.
"The domain is defined by the electromagnetic spectrum," Dr. Kass said. "It's a domain just like air, space, land and sea. It is a domain in and through which we deliver effects -- fly and fight, attack and defend -- and conduct operations to obtain our national interests."
The cyber domain includes all the places an electron travels. The electron, which is part of the atom, can travel from one atom to the next. This concept is key to electronic communication and energy transmission.
An electron may travel from a cell phone to a cell tower, for instance. The path the electron takes, the shape of its path, the speed it travels, and the direction it travels are all critical to ensuring the cell phone works and that a usable signal is received. As part of a signal, an electron can travel from a handheld computer to a reception tower, over a wire to a telephone, to a television through an antenna, from a radio transmitter to radio, and from computer to computer as part of a network.
The electron can also travel, as part of energy transmission, from a microwave oven to popcorn seeds to make them pop, from generators over a wire to a light bulb, and from an X-ray machine through bone to a detection plate to make an image for a doctor to review.
The places where the electron travels is the cyber domain, or cyberspace. And the ability to deliver a full range of cyber effects -- to detect, deter, deceive, disrupt, defend, deny, and defeat any signal or electron transmission -- is the essence of fighting in cyberspace."
http://www.iwar.org.uk/news-archive/2006/10-05.htm
Faraday Cage:
http://en.wikipedia.org/wiki/Faraday_cage
FCC ID, FCC level B emissions
http://www.austinlinks.com/Crypto/tempest.html
Your phone company or telephone manufacturer may be able to supply you with free modular filters, although the design frequencies of these filters may not be high enough to be effective through much of the EMI spectrum of interest. Keep telephone lines away from power supplies of computers or peripherals and the rear of CRTs: the magnetic field often associated with those device can inductively transfer to unshielded lines just as if the telephone line were directly electrically connected to them. Since this kind of coupling decreases rapidly with distance, this kind of magnetic induction can be virtually eliminated by keeping as much distance (several feet or more) as possible betwe
~hylas
What impresses me is that the detector can select output from one screen over all others. In the New Scientist article, Kuhn pulls a screen from 25 meters away at a public conference. How many other screens were around and how was this selection achieved? Would a possible countermeasure be to have a second screen playing white noise (or some other noise generator) nearby?
A couple of things would work here. For one thing, an extremely directional Yagi antenna - they're the classic rooftop TV antenna; a long horizontal bar with a number of elements at 90 degrees to the main bar. They provide high gain only in the direction they're pointed; the gain and directionality both increase with the number of elements. And they're extremely easy to precisely tune to a given frequency.
The other trick would be to use a highly frequency-selective receiver. As an example, I have a Motorola-built Collins-designed Cold War era CIA/NSA surveillance radio - the R-390/URR. These things were so good that they were classified as top secret until the late 1960s. (See history.) Now, tuning this thing to your local AM radio station is a neat experience - it actually takes about thirty (yes, 30!) turns of the fine tuning dial to go from one end of your local radio station to the other. With this sort of frequency selectivity, you could very easily filter out adjacent machines... no two crystals are ever exactly perfect (issues from mechanical imprecision to different operating temperatures), and therefore no two horizontal sync signals produced by a video card will ever be at exactly the same frequency. Therefore...
Fire and Meat. Yummy.
Ultimate solution to this is obviously to switch to fiber-optics. Laminate the chips in a small layer of a transparent conductor ( yes it is very possible ) then do inter-chip comunications optically. Faraday - 1 , Hackers - 0. For the slightly more affordable aproach you can use a conducting cage aka-tinfoil hat. As long as you ensure that the only signal going in and out of the cage is optic good old Faraday takes care of the rest. Power suply is the main issue, but a high-quality low-pass filter can fix that. As a bonus, a computer built this way would also be hardened against EMP's and power spikes. If it is hard for signals to leak out, it is also hard for power spikes to get in. Man, physics is cool some times...
How was this story not tagged with 'slownewsday?'
This is nothing new. I first read it in Cryptonomicon years and years ago, and it was invented long before that.