Slashdot Mirror

← Back to Stories (view on slashdot.org)

Georgia Institute of Technology Researchers Bridge the Airgap

Posted by timothy on from the always-type-in-gibberish dept.

An anonymous reader writes Hacked has a piece about Georgia Institute of Technology researchers keylogging from a distance using the electromagnetic radiation of CPUs. They can reportedly do this from up to 6 meters away. In this video, using two Ubuntu laptops, they demonstrate that keystrokes are easily interpreted with the software they have developed. In their white paper they talk about the need for more research in this area so that hardware and software manufacturers will be able to develop more secure devices. For now, Faraday cages don't seem as crazy as they used to, or do they?

86 comments

  1. Add noise by Anonymous Coward · · Score: 5, Interesting

    I was working at a defense contractor in the '80's when the whole "Tempest" program started.

    Rather than shield equipment, we simply added a small amount of broadband noise.

    The problem isn't to limit emission: The problem is to frustrate detection.

    1. Re:Add noise by Crashmarik · · Score: 4, Interesting

      Really it's amazing how easy it is for people to forget things like Van Eck phreaking http://en.wikipedia.org/wiki/V... have been around for going on three decades now

    2. Re:Add noise by cbelt3 · · Score: 1, Informative

      Yep. Ditto. I still recall one young smartass demonstrating to our boss that he could display what was on the Boss's computer monitor from about 30 feet away with an antenna and a circuit he built with a breadboard.

      A faraday cage IS the only way to protect against this with 100% reliability.

    3. Re:Add noise by fuzzyfuzzyfungus · · Score: 3, Interesting

      I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

      Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?

    4. Re: Add noise by Anonymous Coward · · Score: 1

      Wrong: the cage only prevents the emf, none in or out. But the person in the cage needs information, therefore you break the cage by allowing filtered information access. Even that is "editable/recordable". More garbage.

    5. Re:Add noise by Anonymous Coward · · Score: 0

      Now show me the Perfect Farady Cage. I am firmly on the "jammer" side here.

      Have 1W of EIRP* to defeat the bastard with his van and the 2m antenna inside it.

      * Yeah, I know regulations, FCC, bla. Get a special permit if you have something supersecure. Or mount the jammer on a light pole and has plausible denial if the FCC shows up.

    6. Re:Add noise by cdrudge · · Score: 0

      I was working at a defense contractor in the '80's when the whole "Tempest" program started.

      Really it's amazing how easy it is for people to forget things like Van Eck phreaking have been around for going on three decades now

      No, I don't thing people are forgetting things have been going on for three decades...

    7. Re: Add noise by gnupun · · Score: 1

      What if there were five cages?
      1) computer box
      2) keyboard
      3) screen
      4) kbd cable from computer to keyboard
      5) shielded cable from computer to screen

      Won't this prevent cpu/screen/keyboard signals from being intercepted?

    8. Re:Add noise by Anonymous Coward · · Score: 0

      I thought Tempest was invented by British intelligence in the 50s-60s time frame. See Spy Catcher by Peter Wright.

    9. Re: Add noise by Anonymous Coward · · Score: 0

      It is incredibly difficult to EFFECTIVELY shield repeating signals because you cannot build a perfect faraday cage. The attacker could perform tens of thousands of averaging operations on a very weak monitor signal, for example. That will greatly improve SNR.

    10. Re:Add noise by Anonymous Coward · · Score: 0

      It depends very much on the hardware engineers in charge. A little mistake might boost radiation by 1000x. In theory you can build a faraday cage, but then you have usb and video wires which can all act like quite effective radiators (due to length).

      A bad design could radiate CPU RF signals via loudspeaker wires, for example. Rf design is often black magic and requires advanced knowledge, experience, money, time, equipment etc.

    11. Re: Add noise by Anonymous Coward · · Score: 0

      This is pretty much what is currently done.

      There are a number of suppliers and specs for tempest protected equipment, and it usually boils down to each component and the connections between the components being heavily shielded. Just google "tempest workstation". They cost about as much as a car and because certification is a lengthy process, they are usually a few years behind in hardware, but the chances of someone grabbing useful info from their emissions is probably quite low.

    12. Re:Add noise by John.Banister · · Score: 2

      What if you build a Faraday Cage and put the jammer inside it? Then if the FCC shows up, they can help you improve your Faraday cage.

      Or, if you're in a spy movie, you could have an array of jamming antennas that leave a quieter zone corresponding to a weakness in your Faraday cage, and right there you broadcast a signal you generate that interprets back to the random browsing of this fellow from India whom you pay to have spyware recording and sending you his online activities.

    13. Re:Add noise by tlhIngan · · Score: 4, Informative

      I'd be curious to know (I'm definitely underinformed, so this is an honest question) whether that tactic has lost some effectiveness over time. The classic monitoring-RF-to-read-CRTs stuff depended on getting an adequately clean copy of the distinctly analog output of the CRT. Now, all signals are fundamentally analog signals; but digital signals are analog signals designed to make guessing the correct value really easy(since there are only two possibilities, rather than an arbitrary number of them); and now more than ever it's a safe guess that sensitive data will be heading over a number of RF-emitting digital busses, from the keyboard to the computer, within the computer, and likely to the monitor as well.

        Does the broadband noise still drown out the desired signal sufficiently to prevent reconstruction, or does our increased emphasis on high-speed digital busses (often designed to operate with some amount of error correction in the event of cheap lousy hardware being cheap and lousy) make it more tractable to either unambiguously pick the correct interpretation of a noisy input, or make a number of guesses and use known features of the bus to help eliminate the incorrect ones?

      Well, it has lost a lot of effectiveness because we switched from CRTs to LCDs - a CRT has very distinct emission patterns because it has to drive the electron beam around. So you can detect when the syncs happen because they're driven by huge magnetic field coils on the side of the CRT in a standard frequency and pattern (vsync happens at the Hz level, hsync at the kHz level), and the amplifiers that drive the electron guns emit a lot of RF as they operate.

      These days the emissions are far lower because we're not having to accelerate an electron beam, so the amplitudes are lower. Sure you can sniff the signal cabling but unless you're using analog cabling, most external signalling use a form of encoding that's designed to minimize RF emissions. Not because of Van Eck, but because they want to spread the peaks of emissions across a broadband range which makes it easier to pass RF emissions tests (e.g., FCC emissions tests).

      So using a DVI or HDMI cable causes the signal to smear (TMDS - transition minimized differential signalling - transitions cause the big spikes in RF emissions, so if you can minimize them, you can increase rise/fall times which lowers RF emissions, spreading and smearing the signal across a wider frequency band and trying to hide it in the noise).

      Of course, most digital busses don't do this (they assume the entire system will be RF shielded), same as CPUs so with the right receiver, those signals show up pretty clearly, especially if you can compromise the RF shielding.

    14. Re: Add noise by cbelt3 · · Score: 3, Interesting

      Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.

      Keep in mind that the structure of the faraday cage depends on the frequency of the data being transmitted. It does not have to be unbreakable tin foil. Properly sized metal mesh will also do the job. Just ask anyone who tries to get a Wifi signal through an old wall with expanded metal lath and plaster.

    15. Re:Add noise by braindrainbahrain · · Score: 1

      From the history books:
      Declassified NSA Document Reveals the Secret History of TEMPEST

    16. Re:Add noise by Em+Adespoton · · Score: 1

      I think the main problem is that many people on here aren't old enough to remember those things in the first place. TEMPEST was big in the 80s and early 90s, but outside of military and electronic payment circles, people haven't been too concerned about it in the last 15 years. So it could possibly be new to a lot of the under-30 crowd.

    17. Re:Add noise by fustakrakich · · Score: 1

      Yeah, I know that one. It's like singing in the bathroom so nobody hears you farting.

      Fortunately/unfortunately (depending on your POV) it's getting easier to detect the signal inside the noise.

      --
      “He’s not deformed, he’s just drunk!”
    18. Re:Add noise by edibobb · · Score: 0

      Any headline with "revealed" and "secret" is highly questionable.

    19. Re:Add noise by Anonymous Coward · · Score: 0

      Yes, very good idea. Proper Faraday, good grounding, filters, opto-couplers, properly spaced openings/vents plus a 10x more powerful jammer inside.

      Check the signal levels (using standard EMC measurement equipment) with and without jammer. Ensure the jamming will increase non-jammed levels by a factor of 100 at least.

      Actually, the theory of all this is "out there".

    20. Re: Add noise by electrosoccertux · · Score: 1

      Properly shielded equipment uses different methods to 'break the cage'. It's been many decades, but some of the heavily shielded designs I did in the 80's involved opto-isolators. Yes, that's right. Want to avoid radiating information ? Use light.

      this used to make sense to me, but now that I understand that light is just part of the EM spectrum, I find myself confused.

    21. Re: Add noise by Anonymous Coward · · Score: 0

      Lasers. The light can be focused to be directional.

    22. Re:Add noise by nanoflower · · Score: 1

      Do you really need something so powerful? Why not have an emitter that acts like a keyboard/cpu combo and emits signals that look like real data but are randomized. That would help block the 'bad guys' from anything useful because they would have to sort out the trash from the useful data.

    23. Re:Add noise by Anonymous Coward · · Score: 0

      Do you really need something so powerful? Why not have an emitter that acts like a keyboard/cpu combo and emits signals that look like real data but are randomized. That would help block the 'bad guys' from anything useful because they would have to sort out the trash from the useful data.

      That was my thought too. It would depend on the expected target data. I'm guessing a "determined hacker" would realize they were getting misinformation.

    24. Re:Add noise by rtb61 · · Score: 2

      In actual use faraday cages can be readily subverted by incoming power lines. For a building wide faraday cage to be secure power lines must be conditioned to prevent data interception via subverted hardware within the faraday cage, otherwise that unsecured wire leads right from the supposedly secure hardware to a power station many kilometres away and connected to every other device hooked up to the same power source. Other things must also be looked at like water pipes, tapping into the earth circuit or even using the farady cage itself as conductor. Digital security is a mindless headfuck, no matter what you do to secure it, it can be subverted, which is why manual system are becoming preferred again for real serious security as they require direct personal access.

      --
      Chaos - everything, everywhere, everywhen
    25. Re:Add noise by gweihir · · Score: 1

      It is not. A Faraday cage is great for shielding a static E field (for this, it is perfect if made form a perfect conductor or you wait infinitely long), but it does exactly nothing for shielding the B part. Hence a Faraday cage _weakens_ electromagnetic radiation, but it does not block it completely. What you need is proper EM-shielding, which can be accomplished with any conducting material, but effect is dependent on thickness.

      It is fascinating though that you think a Faraday cage would give you 100% reliable protection, when it does no such thing. This exemplifies the real problem with IT security: Too many people that think they know what they are talking about, when in fact they have no clue.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    26. Re: Add noise by gweihir · · Score: 1

      No, it does not even do that. It only weakens the signal.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    27. Re:Add noise by Anonymous Coward · · Score: 0

      Based on that, why should we believe you?

    28. Re:Add noise by gweihir · · Score: 1

      There is no reason to believe me, but maybe have a look into a physics book sometime? This is science, not religion.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Old news by Anonymous Coward · · Score: 5, Insightful

    Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

    You don't need any fancy equipment, any AM radio will do.

    1. Re:Old news by fuzzyfuzzyfungus · · Score: 2

      Speaking of AM radios and software on the victim computer: this classic.

      Unfortunately only works on CRTs; but it's a heartwarmingly neat trick.

    2. Re:Old news by jeffmeden · · Score: 2

      Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.

      You don't need any fancy equipment, any AM radio will do.

      Given how successful Stuxnet was at infecting across the airgap (by way of poor USB policies) it is rather plausible that you could rely on a trojan horse (in the most literal sense of the term) to get inside and start broadcasting sensitive information out, be they keystrokes or fragments of files or whatever.

    3. Re:Old news by Anonymous Coward · · Score: 0

      Yes and you could call those trojan horses "keyloggers".

    4. Re:Old news by jeffmeden · · Score: 1

      Yes and you could call those trojan horses "keyloggers".

      Some rather enterprising (yes its a pun) security experts use a "read-only" usb ports policy as a way to have a quasi-airgapped system, where you can still bring in software updates on a usb flash drive but can't exfiltrate any data via the same. This would totally side-step that measure, making it novel in some situations.

    5. Re:Old news by jtara · · Score: 1

      Very, very old news.

      We did this circa 1971 in High School, Cass Technical High School, Detroit, Michigan placing an AM radio on the console of an IBM 1620.

      There was a program you could load that would play a tune. But we would also just leave the radio there during normal use. We swore we could tell when the Fortran compiler was processing a FORMAT statement:

      Bloop! Bloop! (pause) Bloop! Bloop! (pause) Bloop! Bloop! (pause) Brawwwww! Brawwwwww! Brawwwwww! Brawwwwww!

      (The last bit is the FORMAT statement...)

      In any case, it was pretty clear when your program was in an infinite loop, and so we used it for some debugging.

      So, in 45 years, we've advanced to recognizing keystrokes. Good job, git!

    6. Re:Old news by dissy · · Score: 1

      Missing from the summary: THEY HAVE SOFTWARE INSTALLED ON THE VICTIM LAPTOP that modules the CPU usage.
      You don't need any fancy equipment, any AM radio will do.

      That reminds me of the Altair 8800 and what some call the machines first program that actually "did something", which ran various lengths of different timing loops in the CPU which had the effect of playing Fool on the Hill as RF interference on an AM radio placed near by.

      https://www.youtube.com/watch?...

  3. define crazy. by Anonymous Coward · · Score: 1

    security measures are security measures, whether the threat is real or perceived is irrelevant.

    1. Re:define crazy. by Anrego · · Score: 1

      It's a risk/cost analysis.

      Tempest protected equipment is readily available from any number of suppliers. If you want to spend the price of a car for a shitty mid-range desktop that'll probably protect you from this kind of attack, the option is there and has been for some time.

    2. Re:define crazy. by fuzzyfuzzyfungus · · Score: 4, Insightful

      The trick is that security measures have costs, in time, money, user convenience, etc. and it is considered 'crazy'(in the weak sense of 'not sensible', not the psych-ward sense) to voluntarily impose costs on yourself that are out of proportion to the costs of the expected threat.

      There's always something you could be doing more securely; but only sometimes is it worth it.

  4. wireless keyboards are easier to read keys from by Anonymous Coward · · Score: 0

    wireless keyboards are easier to read keys from

  5. computer security by freddieb · · Score: 1

    When I was with the government, we had to have specially shielded computers for classified material viewing (albit maybe not as good as they claimed). My office did not even possess the devices so we were only able to receive classified correspondence by secure phones or packages. This could be a problem like the rf id credit cards..you have to know what your doing to protect yourself. Maybe Apple Pay works the same way?

  6. Slow news day by nospam007 · · Score: 1

    Faraday cages around what?

    If you can get that near to a keyboard, you'd just use an electronic device recording the reflection of photons off the keyboard.
    It's called a camera.

    1. Re:Slow news day by Anonymous Coward · · Score: 0

      Theoretically From Russia with Love could look through your curtains with this technique. THEORETICALLY being the operative word here.

      Actually secure sites have plenty of space around them. And they can obtain permission for jammers.

    2. Re:Slow news day by cdrudge · · Score: 1

      Last I checked, cameras don't work from the adjacent office. Or floor above or below. Or any other place that would block optical spying but not from picking up EM radiation.

  7. Farraday? Squirrel? by Anonymous Coward · · Score: 0

    A typo in Faraday -- on a site supposedly from geeks for geeks. Tsk, tsk.

    1. Re:Farraday? Squirrel? by Anonymous Coward · · Score: 0

      Well this site has gone to the geeks. Its used to be for the Nerds.

  8. Wrapping in foil is still crazy... by Anonymous Coward · · Score: 0

    Little known fact about Farraday cages. Conductance depends on the frequency of the signal. Just putting your computer in say a metal case does not work. It is already in a metal case.

  9. you like my new necklace? by Lawrence_Bird · · Score: 2

    Somehow I don't think a secure location is going to be too worried about this type of attack unless someone can show it working with an extremely small receiver which is also able to log the data for later use. Also note that even at the slow rate she was typing it still missed characters.

    So while academically interesting, this seems to be something of very limited concern. Of course, if you see an antenna like that in the coffeeshop you might want to leave.

    1. Re:you like my new necklace? by electrosoccertux · · Score: 1

      reminds me of this guy that's been bringing his whole desktop PC to caribou coffee every day for 3 years

  10. Faraday cage? by Karmashock · · Score: 1

    Seems like there are some really easy ways to prevent some sort of EM signature from leaking.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:Faraday cage? by rubycodez · · Score: 1

      people throw around the term "Faraday cage" without understanding. Real world faraday cages *attenuate*, they do not completely block signals.

    2. Re:Faraday cage? by Qzukk · · Score: 1

      Faraday cages are nice until you need to stick a wire through them to plug into the wall. Enjoy your battery life (and/or jiggawatt laser outside pointed through the mesh at a solar panel inside)

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    3. Re:Faraday cage? by Karmashock · · Score: 1

      If sufficiently attenuated then whether it is totally eliminated or not becomes irrelevant.

      What is more, if specific frequencies are specifically interfered with then snooping on the radiation becomes pointless.

      The two things people are saying works is kicking out some interference and/or blocking the signals. But really in either case you only need to infer with it to a point. Once it is garbled or attenuated enough that it cannot practically be detected/decoded then who cares. Listen to the white noise at 2 inches from my system all you like. The trick is to reduce the listening range to a couple feet at most with line of sight.

      Then the first rule of computer security comes into play. Physical security. If an enemy agent has penetrated your network to such an extent that they are placing bugs a couple feet from your systems then you've got bigger problems then van eck radiation.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    4. Re:Faraday cage? by Karmashock · · Score: 1

      There's no reason it shouldn't work with a power cable going into it. I don't know what you're talking about.

      If the cage is grounded and has only very small holes in it then it shouldn't matter.

      Correct me if I am wrong. This is my understanding of the principle.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    5. Re:Faraday cage? by Qzukk · · Score: 1

      As I understand it, the cable would become an antenna for whatever's going on in the cage.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:Faraday cage? by Karmashock · · Score: 1

      from wikipedia:

      ""Examples

              A microwave oven utilises a Faraday cage, which can be partly seen covering the transparent window, to contain the electromagnetic energy within the oven and to shield the exterior from radiation.

              Elevators and other rooms with metallic conducting frames simulate a Faraday cage effect, leading to a loss of signal and "dead zones" for users of cellular phones, radios, and other electronic devices that require external electromagnetic signals. Small, physical Faraday cages are used by electronics engineers during testing to simulate such an environment to make sure that the device gracefully handles these conditions.

              The shield of a screened cable, such as USB cables or the coaxial cable used for cable television, protects the internal conductors from external electrical noise and prevents the RF signals from leaking out.

              A booster bag (shopping bag lined with aluminium foil) acts as a Faraday cage. It is often used by shoplifters to steal RFID-tagged items.[3]
                      Similar containers are used to resist RFID skimming.

      A home-made Faraday cage at the University of Arizona in Dr. Michael Heien's Lab

              Plastic bags that are impregnated with metal are used to enclose electronic toll collection devices during shipment to the customer, so that a toll charge is not registered if the delivery truck carrying the item passes through a toll booth.[citation needed]

              Some electrical linemen wear Faraday suits, which allow them to work on live, high voltage power lines without risk of electrocution. The suit prevents electrical current from flowing through the body, and has no theoretical voltage limit. Linemen have successfully worked even the highest voltage (Kazakhstan's Ekibastuzâ"Kokshetau line 1150 kV) lines safely.[citation needed]
              The scan room of a Magnetic Resonance Imaging (MRI) machine is designed as a Faraday cage. This prevents external RF (radio frequency) signals from being added to data collected from the patient, which would affect the resulting image. Radiographers are trained to identify the characteristic artifacts created on images should the Faraday cage be damaged.
              Faraday cages are routinely used in analytical chemistry to reduce noise while making sensitive measurements.
              A Faraday cage was used in 2013 by the Vatican to shield the Sistine Chapel from electronic eavesdropping during the secret papal conclave to elect the next pope.[4]
              Automobile and airplane passenger compartments are essentially Faraday cages, protecting passengers from electric charges, such as lightning during a thunderstorm.
      ""

      Seems like it isn't a problem.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  11. Faraday's cages are not crazy. by 140Mandak262Jamuna · · Score: 1
    Faraday's cages for CPUs not as crazy as driving a panel truck wired up with all the gizmos from AWACS and park it across the Russian embassy and trying to detect the EM radiation from the CRT terminals.

    BTW FCC radiation limits prevent CPU from emitting too much radiation.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Faraday's cages are not crazy. by Anonymous Coward · · Score: 0

      you confuse AWACS with RIVET JOINT.

    2. Re:Faraday's cages are not crazy. by RabidReindeer · · Score: 1

      I'm going to have to assume that the computers logged were using FCC-compliant CPUs, seeing as nothing was said about using special noisy CPUs.

      For keyloggers, obviously shielded keyboard electronics and cables helps. Once it gets into the CPU, a lot of other noisy things are also happening. Although strewing a couple of modules around the site that do nothing much more than emit random character codes in the same RF format would be worth considering.

    3. Re:Faraday's cages are not crazy. by Anonymous Coward · · Score: 0

      and anyway isn't easier just to paint the Rivet Joint up in Quantas Colours and orbit the Russian embassy?

    4. Re:Faraday's cages are not crazy. by Anonymous Coward · · Score: 0

      Actually, it is the case the cpu chips are put in. The base is covered with pins and mounted on a motherboard that usually has a ground sheet embedded, the top is metal to conduct heat away from it - thus it is quite well shielded from radiation.

      The motherboard, on the other hand, is not - especially in laptops.

      Most rackmount and tower systems are metal, thus again restricting radiation.

      Only the external cabling is available for radiation.

      Monitors are usually plastic, thus not shielded (especially from the back, but the front is also not a great EM shield either.

    5. Re:Faraday's cages are not crazy. by Anonymous Coward · · Score: 0

      Why bother, this "exploit" needs software installed on the system, in which case, there are billions of ways to pass an extremely low volume of data (key press) to another device over an air gap the human ear cannot detect or even notice. It would only be impressive if they didn't have access to the target.

  12. Oh, it was never "crazy"... by jeffb+(2.718) · · Score: 1

    As others have already noted, this is an old, old tactic. I'm a bit surprised that you can correlate enough of the broadband scream produced by a modern laptop to tease out keystrokes reliably, but not that suprised.

    It's only "crazy" if you're spending disproportionate time, effort and money to conceal your boring, inconsequential data. And in these days of big-data sieves and ubiquitous surveillance, "boring" and "inconsequential" aren't what they used to be.

    1. Re:Oh, it was never "crazy"... by Anonymous Coward · · Score: 0

      You can't. You have to install a special program on the laptop that emits the EM signal they are looking for.

    2. Re:Oh, it was never "crazy"... by mlts · · Score: 2

      I would guess it would be cheaper in most cases for an attacker to black-bag the hardware (evil maid attack), or just use xkcd.com/538 and a wrench.

      TEMPEST attacks are very low on my worry list. If I were running an organization that dealt with that sensitive a data, it would be well tucked away in a building designed from the ground up to keep cameras and detectors quite a ways from the juicy stuff. However, before I even bothered with that, I'd be working on physical security, network security, various encryption levels, and having pentesters in to actually verify that the stuff in place is actually doing the job versus looking cool.

  13. Old news and still needs pwned access by ramriot · · Score: 3, Interesting

    Firstly this is old news,
    Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise. So its a nice idea that if you have access to put software on the PC you can later get it to emit information, but it you are going to do that then why not use what else is there because how often is all the targets other wireless interfaces fully disabled. I suspect unless your name is Snowden, not very often. Further, if you are that worried about leaking information that you go fully air gapped you would not be trusting a malleable OS to run from, much better to run from a live CD.

    1. Re:Old news and still needs pwned access by phantomfive · · Score: 1

      Secondly almost the first thing said in the video is that they had to install a driver on the target to force it to emit signals they could pull out of the noise.

      At that point it's no longer 'bridging the air-gap' (which typically means exploiting across the air gap), it's communicating between two friendly entities through the air.
      Which we've been doing for literally hundreds of millions of years.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Old news and still needs pwned access by Anonymous Coward · · Score: 0

      Forcing a target to emit signals is not very friendly. :)

  14. Tempest shielding by wolfguru · · Score: 1

    Back in the late 70's to mid 80's, this was a common enough technique that the US developed a secret system known as Tempest Shielding. In simple terms it was an active radio/electronic field around a sensitive device that was designed to block such electronic snooping. Georgia Tech has successfully recreated a technique used long before any of the researches existed.

  15. Add noise by Anonymous Coward · · Score: 0

    Tempest goes back to WWII when they were actually studying an Enigma machine and discovered that it created a predictable curve in an oscilloscope that was across the room whenever a key was pressed.

  16. frickin' vertical video!!! by Anonymous Coward · · Score: 0

    these guys are so smart and they don't understand how videos should be recorded?! that drives me nuts

  17. Old News by Anonymous Coward · · Score: 0

    Resurfacing again and again. This has been done since at least the mid 1990s with EMR from the video display, keyboard, etc.

  18. Add noise by Anonymous Coward · · Score: 0

    That's a good idea, particularly if you either raise the noise level high enough or ring the computers with a circle of such devices. Meeting Tempest standards is very costly. Adding noise isn't. It's a bit like the suggestion that microphone bugging can be defeating by playing talk radio or similar sounds in the same room. One voice drowns out another.

    I've sometimes wondered what would have happened if the Germans had been clever enough to mix in with their usual Enigma traffic bogus messages made up of random letters that still fit the pattern of German words and sentences. German units with code books would have quickly noticed which messages meant nothing. But quite a bit of the daily labor at Bletchley would have been frustrated, particularly if the bogus messages went out early in the day.

    But that, of course, requires the Germans to know that Enigma was being read and, if that were so, they'd have change their encryption instead.

  19. TEMPEST by Registered+Coward+v2 · · Score: 1

    There was a reason DoD was concerned about this sort of monitoring many decades ago. Electronics were shielded to prevent EM tradition form being used to deduce what was being done.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  20. How about spread spectrum clocking? by guruevi · · Score: 1

    There used to be an option in BIOS'es (may still be there, don't know) to enable spread spectrum clocking. This basically caused the system to slightly vary (spread out) various clocking signals in order to lower emissions at a particular frequency in order to pass FCC inspections.

    This thing requires malware to be installed anyway, at that point it's trivial to do anything. You could send things through any port which many computers have webcam lights, backlights and status indicators that can be controlled quick enough for any human to notice.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:How about spread spectrum clocking? by Anonymous Coward · · Score: 0

      "This thing requires malware to be installed anyway, at that point it's trivial to do anything. You could send things through any port which many computers have
      webcam lights, backlights and status indicators that can be controlled quick enough for any human to notice."

      exactly... at this point you may as well setup your malware to print out on the workgroup printer down on the first floor, which is farther away than you have to be to pick up the cpu modulated signals from a 3rd floor pc.

      better yet, make it print to the HP cloud print service all nice and pretty and fedexed' to yourself.

  21. source? by Anonymous Coward · · Score: 0

    source code or it never happened...

  22. feet, not meters by Anonymous Coward · · Score: 0

    Surprised no one posted about this error. In the video, he says "6 or 7 feet", not meters.

  23. Cases used to be metal by Anonymous Coward · · Score: 0

    Computer cases used to be metal. And a grounded metal case makes for a good Faraday cage. As some have added, a small noise source doesn't hurt. I worked for a 3 letter agency (recently mentioned on /.) and they had some tempest enclosures on equipment, but mostly just tempest'ed the whole building (metal shielding even over outside windows). There are well known methods that could pick up the display of CRT's from a room away (high voltage sweeps were easily strong enough to pick up from the next hotel room), but LED and LCD displays don't run at 50,000 volts, they typically operate on 5 volts. The good news is that the front of the screen is no longer a dust magnet, the bad part, you can't tempest-hack the CRT. So the next best thing: either the controller chip in the keyboard, or the CPU.

  24. 1989 Okinawa and Russian "Fishing" boats by BenJeremy · · Score: 1

    Geez, 30 years ago we were given a demonstration of snooping on non-Tempest equipment, with a van parked outside of our offices, showing keystrokes and fuzzy images of our monitors.

    When I went to work at the RASC at Camp Kinser, just north of Naha (The mainframes were all housed in a building on the south side of the base, closest to the piers), there was always one or two Soviet "Fishing" vessels docked, with all sorts of crazy antennas (directional ones pointed at Camp Kinser), satellite dishes and such.

    This is really, really old news. I've heard of far more exotic wireless, remote listening stuff, from phreaking sources back in the day, but I'm not sure that stuff has even been declassified yet.

  25. Nothing new really by MoarSauce123 · · Score: 1

    Years ago it was shown that electronic noise emitted by keyboards and mice could be easily retrieved with some cheap off the shelf hardware even from across a street. That is the reason why many government agencies are dusting off the mechanical typewriters.