KBA Oktatási Kft OKÉV nyilvántartási szám: 01-0469-04 2004
Built-in spy in your CRT-monitor or the glamour of the radio reception László M Biró Allianz Hungária Biztosító Rt. laszlo.biro@samunet.hu
Data is value. Not only for us, also for others. Our data can be valuable for others. Destruction of our data also can be value for others. Are they in a safe place? Are they vulnerable? Can they be stollen?
They can be damaged if... Operating environment is harsh Any malicious software starts to run Enthusiastic programmer gain access to productive data
Your data can be dispersed if... Someone lays hands on your machine or its any component containing data We would like to obtain data (of course, illegally) but those are protected...
In case the system is protected but not too fairly, we can try to use a USB-Wifi plug or a HW-keylogger or we can observe the screen in front of the operator.
If you cannot get close to the machine... you have to check if it's ready to give you the data by itself...
Oh yes, and it was discovered soon... Kjhkjhkjkjhkjhkjkjhkjhkj Kljgfjytdgfyuchgtf lujyfhtrxngh
and everybody was frightened:
The original Wim van Eck configuration:
Hardware- and physicofobes can leave NOW!
How does the transmitter work (1.)?
How does the transmitter work (2.)? Deflection system visits pixels line by line Electron gun generates a beam current as a function of brightness of the appropriate pixel During the fly-back the beam current is zero!
How can it be emanated? Antenna is the beam itself! Antennas...
The first attempt (1)... Kjhkjhkjkjhkjhkjkjhkjhkj Kljgfjytdgfyuchgtf lujyfhtrxngh
The first attempt (2)... Kjhkjhkjkjhkjhkjkjhkjhkj Kljgfjytdgfyuchgtf lujyfhtrxngh
Doesn't work... Why? (computer side) Let's calculate: Screen resolution:640x480 pixels, monochrome Refreshing frequency: 60 Hz We would like to recover the video signal... The video frequency is (1.3*640)*(1.05*480)*60=25159680 (Hz), slightly more than 25 MHz!!! Receiving one sample via Centronics port is at least 2 µsec, so the maximal throughput of the printer port is 500 ksample/sec Mr. Claude Shannon would be very sad, the error rate is too high (1 : 500)
Doesn't work... Why? (Radio side)? Frequency of reception: 108 MHz Intermediate freq. bandwidth: <200 khz!!! AF bandwidth: 15-18 khz!!! 18 khz <<< 25 MHz The error is more than three orders of magnitude!
Maybe?...
The solution: undersampling... The ratio of necessary and available bancwidth is 25 MHz : 18 khz; according to the Shannon's law it's about 2800-times undersampling! Broken watch method...
Let's be a bit more serious... Some screen resolutions and the related pixel freqencies Kjhkjhkjkjhkjhkjkjhkjhkj Kljgfjytdgfyuchgtf lujyfhtrxngh
The real situation is slightly different... Vertical, 1 pixel wide columns; the electron beam should be turned off and on pixel by pixel or that should be happened. Despite that fact the beam current is swinging three times faster than the pixel frequency.
The world is colorful... Shadow mask Triple barreled electron gun Slot mask Trinitron
Frequencies, harmonics... If the beam current was ideal square wave, its harmonic content could be described by a Fourier formula. Presence of higher order harmonics can be smaller depending the frquency response of the video amplifier (and the video card) Cable inductance attenuates the higher order harmonics
It should be something like this Nearly ideal square wave (with a tiny overshot)
It could also be something like this Reduced level of harmonics
In reality something like this... Three electron guns
The video spectrum of some video cards...
We need a transmitting antenna How large is it? 300 meters 35-45 cm
Antennas' behavior, radiation characteristics as a function of frequency (wavelength) l=λ/4 l=λ/2 l=λ l=2*λ
Conclusions: We have to listen above the base band at the harmonic frequencies This is - depending on the monitors - the 150-650 MHz band. The measured spectral distribution verifies this estimation. The necessary bandwidth is about three times the pixel frequency. PC is too slow for this sort of processing The recovered picture will probably be monochrome
What do we need? A good antenna A good radio An application specific circuit for recovering the synch pulses A good quality (multisynchron) monitor Occasionally a good computer (DSP!)
What does it mean good antenna?... More element higher gain Wide band, probably logper It's not a matter if it's invisible...
How does a good radio look like? Motto: There's no good radio; you can only buy expensive radio and design radio Covers the whole reception band Sensitive, low-noise Gives proper output level Covers the necessary bandwidth If you don't have really much money you have to build it yourself...
The first stages of our radio... Our purpose: recovering the base band envelope.
What else should we do? The signal should be amplified Envelope should be restored ( demodulation ) Vertical and horizontal synch signals and blanking signal should be restored The restored video signal can be sent to the monitor
The results: Test picture on screen, character size 6x13 pixels Recovered picture: central frequency 300 MHz, bandwidth 200 MHz
What else can we do? That was an inexpensive project can be done at home. Other, more professional, a bit more expensive ways: Better antenna (higher gain, better orientation) Better radio (higher gain, lower noise) High speed digital signal processing (DSP)
DSP and more bandwidth can help: Letter W, 9*13 pixels. Receiver bandwidth: 50, 100, 150 and 200 MHz Increasing the bandwidth from 150 to 200 MHz does not result significantly better quality.
How should we process the video signal? It's not necessary to process every single frame. Digitizing, processing and visualizing should be separated. Pixel borders and pixel values can be determined more preciously by processing more then one line (sampling from the middles of the pixels) The time slices of unprocessed frames covers the time consumptions of additional processing.
What can we use? Mixed signal processing systems are offered by manufacturers. Really high processing speed needs unique solutions.
Entry level projekt You can remain under 100 $ but the upper limit is the blue sky...
Advanced projekt Real time processing for about 600 $ for a 1024x768 pixel monitor. We use only commercial (not military ) components...
Internal helper can ease the job: Larger characters better result Embedded pictures also can be transferred!!! The transferred information can remain invisible on the transmitter's screen!!!
Internal helper can ease the job: Larger characters better result Embedded pictures also can be transferred!!! The transferred information can remain invisible on the transmitter's screen!!!
What can we do? (technical possibilities) Shielding HF noise generator Monitors close to each other Carefully selected character- and background colors
What else can we do? Human factor is as important as technical solutions! Carefully selected colleagues! Consciousness, knowing the results of data leakage Continuous education Regulation must follow the technical changes
Useful links http://jya.com/emr.pdf The original Wim van Eck article http://cryptome.org/nacsim-5000.htm Tempest Fundamentals http://www.falstad.com/mathphysics.html Demo applets http://www.eskimo.com/~joelm/tempest.html Tempest info http://eckbox.sourceforge.net/ Eckbox description http://www.surasoft.com/articles/tempest.php Tempest attack http://www.ti-estore.com/ Starter és Evaluation kits
Questions???? laszlo.biro@samunet.hu