TEMPEST: a Tin Foil Hat for Your Electronics and Their Secrets

Electronics leak waves and if you know what you’re doing you can steal people’s data using this phenomenon. How thick is your tinfoil hat? And you sure it’s thick enough? Well, it turns out that there’s a (secret) government standard for all of this: TEMPEST. Yes, all-caps. No, it’s not an acronym. It’s a secret codename, and codenames are more fun WHEN SHOUTED OUT LOUD!

The TEMPEST idea in a nutshell is that electronic devices leak electromagnetic waves when they do things like switch bits from ones to zeros or move electron beams around to make images on CRT screens. If an adversary can remotely listen in to these unintentional broadcasts, they can potentially figure out what’s going on inside your computer. Read on and find out about the history of TEMPEST, modern research, and finally how you can try it out yourself at home!

TEMPEST isn’t anything new. This declassified introduction to TEMPEST (NSA, PDF, SFW, FTW) tells the story of a nameless Bell Labs tech working on signals intelligence (radio stuff) during WWII. The story goes that he noticed strange intermittent spikes on his oscilloscope and then managed to track down the source to a piece of unrelated crypto machinery working in a “distant part of the lab”. He then managed to extract enough information from the spikes to read the plain text being fed to the crypto machine. Eureka!

Being engineers, the Bell Labs folks worked out a complete solution. A combination of shielding and filtering the signals coming out of the crytpo mixer in question to completely obliterate any outside trace of the plaintext. And TEMPEST was born. And just a few weeks later, TEMPEST suffered its first death.

To mask all external signals, the crypto mixer had to be completely encapsulated (read: Faraday cage) and this made it overheat. And you couldn’t get at the control knobs. And it made it hard to fix when things went wrong.

Worse still, all of the mixers deployed in the field would have to be recalled and retrofitted, and that was expensive. So the Signal Corps issued a directive to control the area 100 feet around the crypto mixer, and that was that. After all, as the NSA paper notes, there was a war on.

TEMPEST rides again: van Eck Phreaking

After the war was over, the CIA started looking into TEMPEST for its own purposes. Shortly thereafter, it became apparent that the Soviets were doing the same: in 1954 the standards for electromagnetic emissions from teletypes and other communications equipment were much more stringent than those for motors, which are in principle more noisy.

In the 1960’s we discovered that everyone was spying on us, from a high-gain antenna pointed at the US cryptocenter in Tokyo to the discovery of 40 microphones hidden in the US Embassy in Moscow. Spooky stuff, but largely limited to the classified world.

TEMPEST entered popular hacker culture in 1985 through this paper (PDF) by Wim van Eck. The comparatively small logic voltage signals coming out of your computer enter the CRT monitor and are amplified up to hundreds of volts in order to deflect electrons and make the phosphors glow to spell out whatever you’re reading. What soon became known as “van Eck phreaking” was as simple as receiving the radiation from the CRT using a radio, and re-combining that radio signal with locally-generated horizontal and vertical sync signals and then replaying that onto a monitor. Voilá, a perfect copy of a remote screen.

By the time van Eck’s paper came out, the spy world had been phreaking for at least twenty years. Nonetheless, the graphic demonstration (pun intended) of remote surveillance power caught the public’s imagination in the late 80s and early 90s. This retro-spectacular BBC TV Show, “Tomorrow’s World” covered TEMPEST, building up a van Eck rig and pointing it at a BBC Micro computer across the room. Neil Stephenson showed how cool he was by name-dropping van Eck in Cryptonomicon (a must read for any geek). Ominous white vans with telecoms equipment started showing up in movies across the country.

More great TEMPEST information can be found at cryptome.org’s collection of TEMPEST documents.

… in a Teapot

So does TEMPEST really matter these days? If you have to ask, the answer is “probably not for you”. This comprehensive resource on TEMPEST reports on a US military consensus that there’s not that much risk of TEMPEST-related breaches within the US to warrant the expense. For instance, the National Reconnaissance Office got rid of its domestic TEMPEST requirements in 1992. At the same time, CRTs have been phased out for LCD screens and computers have all become generally less radiative for non-spying interference reasons.

On the other hand, TEMPEST is too cool to die. Our favorite TEMPEST researcher at the moment is Markus Kuhn, who essentially did his dissertation on TEMPEST. (He also proposed a great hack where you look at the reflected light in a room with a CRT monitor at high frequency and back out what the image on the screen would be that generated that time series.) In his “soft-TEMPEST” project, Dr. Kuhn proposes using slightly smudged-out fonts to take the high-frequency edges off your radiated signal, solving the previously-hardware TEMPEST problem in software.

Post-TEMPEST and EMSEC

SANS wrote a whitepaper on TEMPEST that’s a great read for the security professional. (Although the use of Comic Sans makes it looks like a bad cartoon! Yes, SANS, we get the joke, but really.) According to SANS the codename TEMPEST is outdated, and it was never clear whether TEMPEST referred to the problem or the solution anyway. Those in the know now refer to the field as Emission Security (EMSEC), which covers much more than the direct reception of the emitted signals of CRT monitors.

And viewed more broadly, TEMPEST is just one of many side-channel attacks where the attacker tries to gain information about the device’s internal state from things like radiation, power usage, response latency, etc. This recent paper uses emitted TEMPEST-like radiation and software-defined radio to determine where the encryption routine in GPG is spending its time, and by sending certain keys to the GPG routine and monitoring the response, they can break the encryption.

There are rumors (for instance at “The Complete, Unofficial TEMPEST Information Page”) of new and improved codewords: HIJACK And NONSTOP. These appear to be TEMPEST-like exploits where a device is brought in with the target computer and essentially re-broadcasts the emissions in order to make a stronger signal.

In that vein, the Snowden leaks brought us RAGEMASTER (warning: leaked classified document — do not click that link if you have security clearance and hate filling out paperwork) which is a re-transmission bug that gets embedded into the monitor’s video cable. Pretty slick. Open-source work on similar technologies takes place at NSA Playset.org. Michael Ossmann’s CONGAFLOCK gets you halfway there.

So maybe you do want to buy that expensive TEMPEST laptop after all.

Hack the TEMPEST!

TEMPEST isn’t just for spooky uses. You too can use unintentional emissions for fun at home. Tempest for Eliza is a quick Linux hack that plays music over the radio of your choosing by displaying alternating black and white pixels on your monitor at just the right frequency. This plays music for the feds pointing their TEMPEST-sniffer antenna at your monitor. If you’re not currently being spied on, you can play the music for yourself using a handheld AM radio.

To use Tempest for Eliza, you’ll need to know some things about your monitor’s refresh rate and pixel layout and such. For our LCD monitor, for instance, xrandr --verbose outputs a line like:

1280x1024 (0x4d) 108.000MHz +HSync +VSync *current +preferred
      h: width  1280 start 1328 end 1440 total 1688 skew    0 clock  63.98KHz
      v: height 1024 start 1025 end 1028 total 1066           clock  60.02Hz

The numbers you’ll need are the pixel clock (108 MHz), the height and width (1280×1024), and the total pixel count including the dead time at the edge of the screen (1688). You then pick a frequency that you’d like to transmit on. 1000 kHz = 1 MHz, which is right in the center of the AM dial on a normal radio, or try other frequencies if you’ve got a ham radio that can do AM demodulation at higher frequencies.

For 1 MHz, with the parameters above, the command looks like: ./tempest_for_eliza 108000000 1280 1024 1688 1000000 songs/forelise. Here’s a YouTube demo of what it looks like.

Now you can use Tempest for Eliza as a rough TEMPEST-leakage gauge. Where you hear the music best, that’s where you’re radiating from. The back of our trusty old LCD monitor broadcast loud and clear, although it seemed to emit through a very small hole on one side only. Our guess: there’s shielding everywhere, but cables have to get out somehow. We also noticed that “Für Elise” played louder behind the monitor than in front.

In line with Dr. Kuhn’s conclusions in this paper on LCD monitors (PDF), we got some signal out of the DVI cable, though it wasn’t as strong as the near-field on the back of the LCD monitor. We also noticed some periodic clicking-type noise coming from the cable, which we take to be a factor of the pixel clock mixed with the tuned frequency (1MHz). Or something like that.

Our laptop (a Thinkpad X220) seemed relatively quiet in comparison. You can still hear the music, but it’s even quieter on the laptop’s display than the larger monitor, and you have to place the antenna right up to the screen. We’d read somewhere that the hinges, where the monitor cables pass through, are particularly noisy, but we couldn’t back that up empirically. It seemed pretty much the same everywhere.

Feedback

From the very beginning, TEMPEST was a great hack. The van Eck method of receiving the signal and reconstructing the sync signals is awesome and very low-tech. But with the significantly cheaper computing power at our fingertips today, including advances in open-source software-defined radio, even more sophisticated TEMPEST-like attacks could be within reach. Finally, there are still a lot of leaking electronic devices out there, and we’d bet that they’re mostly under-researched.

So download and run Tempest for Eliza, and have fun with the radio emissions coming out of your monitor. If this pushes you on to the next level, have a look at this video on SDR TEMPEST-like ideas that you can try out on the cheap. Or get inspired by the spooks; after all, they’re professionals at this sort of stuff. When you get something cool, let us know on the tips line. Get yer phreak on!

Filed under: classic hacks, computer hacks, Featured, radio hacks

via Hackaday » radio hacks http://ift.tt/1M00cns