Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Coming to a Desktop near you: Tempest Capabilities

Posted by Hemos on Mon Nov 08, 1999 08:24 AM
from the fun-with-van-eck-phreaking dept.
Technology
AftanGustur writes "New Scientist has an interesting article about a new toy we will all want. It's a card that plugs in one of your PCI slots and allows you to scan the EMF spectrum and read your neighbours terminal. In about 5 years you might be able to get one for just under £1000. (Modern Tempest Hardware costs about £30000) " Excellent. Now I won't have to read over Rob's shoulder all the time.
+ -
story

Related Stories

[+] Hardware: Laptops And Flat Panels Now Vulnerable to Van Eck Methods 144 comments
An anonymous reader writes "Using radio to eavesdrop on CRTs has been around since the 80s, but Cambridge University researchers have now shown that laptops and flat-panel displays are vulnerable too. Using basic radio equipment and an FPGA board totaling less than $2,000 it was possible for researchers to read text from a laptop three offices away. 'Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximize the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.'"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Coming to a Desktop near you: Tempest Capabilities 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I thought you guys all had those Sony Viao's? The tempest wouldn't be too useful on those things...the LCD's don't give out EMF....

  • Another Microsoft conference (Score:3)

    by blogan (84463) on Monday November 08 1999, @03:33AM (#1553176)
    "Microsoft announced this morning that it did not design it's keyboards to emit to the EMF spectrum, allowing the NSA a backdoor into your computer. They place the blame on physics."
  • "ruggedized" or military spec (milspec)
  • Any unshielded electrical device with a variable current (including LCDs) will give out EMF radiation. It's the nature of the beast.

    For that matter, light is EMF radiation, so unless you have your LCD in a coal-mine, it's reflecting EMF all the time it's switched on.

    Then, there's the fact that screen monitoring isn't the only monitoring you can do. I used to use a radio, tuned into the bus for the PET, as a sound card. Worked surprisingly well, for all that very clunky metal shielding. What's to stop a much higher-quality receiver from seeing the data, in an unshielded box, being sent TO the LCD, or to any other device on the machine?

    It's a mistake to assume that Tempest technology is single-function and that that single-function only works in a single situation.

  • Pattern of keystrokes? I'd bet it's possible to really confuse the individual spying on you via the typing patterns monitor method...
    Use a Dvorak :P

  • I believe the term you're looking for is "rugged reliability" ;)

  • More Information (Score:3)

    by Plasmic (26063) on Monday November 08 1999, @03:41AM (#1553182)
    Already, a few people have posted expressing their misconceptions about what TEMPEST is. In a nutshell, it's the process by which radiation given off by electronic devices can be captured and analyzed in order to gather information about what that device is doing.

    A good example of how it can be used was given during the October 1996 episode [thecodex.com] of Discovery Channel's "Cyberlife" show.

    A couple other decent sites with more information about TEMPEST are:
    The Complete, Unofficial TEMPEST Information Page [eskimo.com]
    TEMPEST monitoring in the real world [thecodex.com]

  • 5 Years (Score:3)

    by SamIIs (65268) <SamIAm@ m a t h . g atech.edu> on Monday November 08 1999, @03:42AM (#1553183)
    In about 5 years you might be able to get one for just under £1000.

    In about 5 years, I expect to have a flat-screen (19"). These don't work on LCD, do they?

    Also due in about 5 years...
    **A robot that cooks and cleans and has a cute, cartoon personality.**
    **Cars that fly**
    **One supreme Linux Distro**
    **A final end to the DOJ MS trial**
  • This technology has been around for a long time -- the issue is really the same old technological same old: miniturization, dropping prices, and better software.

    I can see a future where either:

    • Strong encryption is applied to everything, from applianceware to monitors to PDAs
      or
    • Everyone will be paranoid all the time
      or
    • all of the above.

    Echelon, hell. Beware thy neighbor. Shame, iddnit?

    -Omar

  • What is the legal side of this like?
    Is it legal to use this kind of equipment, and if so, what is it legal to read?
  • I'm concerned with the following paragraph from the article [newscientist.com]:

    And keyboards are also troublesome. They rely on a scanning signal, which radiates the pattern of keys being pressed. So the patent suggests using a random number generator to continually distort the scanning signal.

    That's one of the the most vague things I've ever read in my life. That's like saying "I didn't want anyone to see me when I robbed the bank, so I used a random number generator to distort the police radio signal." It's apparent that they have some particular application of a random number generator in mind and that it is probably effective, but how on earth it's applied is neither implied nor apparent.

    Does any have a clue what they're referring to?
  • . . . to go on and on about privacy and security for ourselves, and then start jumping at a chance to spy on everyone else? Not that I don't want one myself, mind you (though the "respectable" reason is to reverse-engineer and protect myself), but it kinda seems silly to think that way.

    The truth of the matter is still the information war. We don't object to the act of spying, we just want to make sure WE'RE doing the spying, not the guy next to us.
  • This is old news.

    I have an Atari Jaguar with Tempest capabilities...
    --
  • I've seen that people invented a coat that will be used in the planes to isolate the cockpit, allowing you to use your notebook during takeoff and landing. Maybe I should put it all around my room. But I don't think my TV will still work after this re-styling.
  • I know, I know, it's not possible...

    Even still -- in this light, I'd like to get anti-aliasing integrated into my X server. We've still got some time, anyway.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • While it is not as difficult to scan a computer ("tempest" style), it is not that difficult to shield a computer.

    LCDs / laptop displays are a first step to reducing possibly compromising signals. LCDs work with a much lower signal level than CRTs (thus lower emissions) - but while they are harder to scan LCDs it still is possible.

    The only way to prevent emissions is to shield the computer. L0pht had pictures of a do-it-yourself shielded computer about a year ago, but I was not able to find it again (shielded too well, eh?). While the CRT is the foremost target for shielding (because its emission levels are the highest), one has to shield all and everything.

    Shielding with metal enclosure AND mu-metal (for magnetic shielding): CRT, CPU box, printer, modem.

    Shielding with metal enclosure should be enough: keyboard + mouse - a trackball might be better because of heavy/stiff shielded cables,
    connecting cables (any - video, printer, serial, network).

    A big no-no are radio keyboards or mice - or wireless LAN. The reason should be obvious.

    Not that obvious are "leaks". Do not forget to cover floppy + CD-rom doors with a radiation lock (at least a proper door) - and build radiation locks / traps / grids for ventilation in- and outputs.

    Practical side-effect of a highly shielded PC: it mutes (compromising) radiation as well as (ventilation/hard disc) noise. A good workstation is quiet - in both, EMF and noise emissions.
  • Cyber-cops already exist, with the proliferation of inexpensive Van Eck monitoring you will see mercenaries(similar to the information gatherers in Stephenson's Snow Crash) offering their contracted services to law enforcement agencies. This may benefit those of us who do care about privacy by speeding up the development of countermeasures. -Matt
  • Use a Dvorak

    That would probably take nearly as long to figure out as the Cryptoquip in the morning paper. If someone is going to the trouble to sniff your keyboard, assuming they can't solve a monoalphabetic substitution is wishful thinking.

    Now, if you put a one-time pad in the keyboard driver, you could fool them. Of course, it would slow your typing down a little, but you'd probably get good at it eventually. Might even break 1wpm....

  • Keyboards scan in the same pattern, all the time. If you know the pattern, then you just get the timing of the keyclicks and from that you can figure out what keys were pressed.

    Instead, keyboards should be scanned in a random pattern, and the time of keyboard clicks will not be helpful to determine what key was struck.

  • Sure. Maybe.

    Both keyboard and PC share a (pseudo) random number algorithm. When you power on, they negotiate a seed. At every keypress and/or clock tick, they both move on to the next random number, which will stay in sync. Keypresses are XOR'd with the random number before transmission.

    Hence, the snooper needs to work out what the pseudo-random number algorithm is, *and* calculate the seed, in order to glean information from the RF emitted by your keyboard.
    --
  • We're all going to go out and buy one right? The market for eavesdropping equipment that does this sort of thing is so small that there are no economies of scale .... the prices will not come down because the cost of the hardware is probably miniscule compared with the R&D.
  • Did you know that you can do tricks with antialiasing in your fonts to change the text on your screen as it appears to a tempest scanner?

    tempest isn't there to read text off your screen. it's there to show that your screen is on in the first place and that it's doing something, and that something matches patterns kind of like typing. so if you say "i was in bora bora the day that system was cracked" they can ask you, "then who was typing on your computer?"
  • I remember being in a Ross Anderson lecture where he demonstrated how by filtering out the top 30% frequency, you could hide your information from a Tempest scanner. PGP 6.0.2 apparently does this, so if you're worried about the government decrypting your transmissions then maybe you should use that!

    Also, he demonstrated displaying one thing on your screen, and another thing on the attackers screen, which has the potential to be used two ways: either to foil an attacker, or the possibility of a Tempest virus, which secretly transmits your cryptographic key to the white van waiting outside, while displaying something else altogether on your screen!

    Ross Anderson's homepage [cam.ac.uk] has links to his papers on this topic.

  • Yes the fact that we may all have flat screen monitors (40 inches wide) which dont emmit emf does limit this and hell i wonder if it has a sensitve enought microphone for capuring speach recogonition. But there are always going to be scurity issue. The data still has to be transefered via metal cables and these are great from giving out loads of emf. Your picture doesn't magically jump to the screen yet. As for the hardrive issue, arn't we all going to have holographic storage by them? Or will we be waiting for the linux4.2 drivers :o) -my tupence (I'm english I'm afraid)
  • You forgot to mention:
    ** Another MacWorld keynote by Apple interim CEO Steve Jobs
  • Well, for the robots and the flying cars, I swear we were promised them in roughtly one and a bit months.

    And where's our bloody moonbase?
  • Sorry to say it, but yeah, an LCD can be used to snoop on you too. So can your keyboard. So can your hard drive; processor; printer; scanner; etc. Pretty much any computer part that has electricity running through it is a security hazard when it comes to this kind of stuff.

    Read some of the articles on the Complete TEMPEST Information Page [eskimo.com] if you want to really scare yourself. Convieniently, there are also links to companies there who produce TEMPEST-spec computer equipment and peripherals.

    ~GoRK
  • I've seen some Tempest technologies in action, I know its more than just a single function. However wouldn't the distance on a laptop lcd is considerably less than a CRT, because of the differences in scales of the energy involved in each of them? If CRT's can be captured at distances of 1000 yards, wouldn't a LCD be more like 10, maybe 100 yards?

    I had a friend who used to scan frequencies to hear the noise from various devices. He always had a hard time finding the frequency of a laptops LCD, but he never had a hard time finding frequencies given off by cpu's, crt's, people, and other electrical devices.

  • Already, a few people have posted expressing their misconceptions about what TEMPEST is. In a nutshell, it's the process by which radiation given off by electronic devices can be captured and analyzed in order to gather information about what that device is doing.

    To be completely anal about it, TEMPEST is actually the set of standards and practices to stop people from being able to eavesdrop on you using the technique you mentioned. The actual process of doing it is often refered to as "Van Ecking" or "Van Eck Phreaking" after Wim van Eck, who brought the issue in front of the public (read: non-spook circles) in a paper written in 1985.

  • Don't forget about your printer. Security ratings have been denied because a 'W' sounded different than a 'Y'.




    To see some pictures of a real TEMPEST shielded PC take a look at some of the old IBM PC/XTs they have at http://www.meco.org. Last Friday I saw a pretty rare SPARCstation. It was a TEMPEST shielded SPARCstation 2. Really heavy machine and a bit larger than a normal SPARCstation 2 due to the shielding. The floppy and power switch were located behind a 1/4" solid aluminum door on the front panel. It was used by the Navy. Maybe next time I'll pick it up and take some pictures. The thing has got to be a rarity.
  • The fall-off is proportional to the square of the distance (ahhh! physics! :). I don't know what the threshold for detection is, with a modern Tempest device, but if you know the threshold and the energy output, you should be able to calculate the maximum range.

    You're right, of course, a laptop won't be detectable at the same range as a CRT, but the actual range isn't fixed, as the radiation doesn't just stop.

    (eg: If you rigged up Jodrel Bank to a Tempest device, you'd probably be able to capture an LCD on the moon, with only minimal distortion. Jodrel Bank's resolving power would be the key factor there, rather than signal strength.)

    Using a primitive, unfocused arial, a low-power amplifier, and minimal screening, you're probably right on the estimates - 1000 yards for a CRT and 10 yards for an LCD sound about right. Rig up a squarial or a satellite TV dish, beef up the amplifier, and improve the screening and you can probably add at least one, maybe two, orders of magnitude.

  • What now? Everyone builds a lead/iron box in his backyard and stuff all our electronic equipment into it? Might as well enclose our whole house in it. Might help twart off robberies and stuff. Maybe add a couple of turrets and reinforce it.

    And viola! We have the ultimate personal fallout,bomb,terrorist,privacy shelter.

    Beats the purpose of living.
  • And where's our bloody moonbase?

    have you looked at the date lately?
    It disappeared after a big explosion a couple of months ago.

    Come on, lad, get with it! :)

    P


    Pope
  • It was mostly about shielding a computer to reduce emissions. All the cases were "ruggedized" (heavier construction, lots of screws) with copper mesh shielding inside the case near seams and openings. The systems were "Tempest certified" to indicate EMR emissions from the cases were reduced below certain thresholds.

    Wasn't proof against extreme conditions, though -- I accidentally knocked a cup of coffee into an unpowered keyboard once, was a royal pain to clean up (I counted some 50 screws just for the keyboard case.)
  • Shielding one's computer is very cumbersome. Is it not easier, knowing the exact frequencies where your electronic components leak data, to just add a small white-noise transmitter that will jam the needed frequencies? If you want to get sophisticated, it can analyze your emissions in real-time and generate the correct noise to cover/distort them...

    But in any case, local jamming should be much simpler/cheaper than shielding. Anybody knows if this is a viable option and if not, why?

    Kaa
  • Hiding the keyboard signals seem to be reasonably easy to solve - I dunno about the signals coming off buses & disk drives (the only practical way to hide these might be to use a shielded case).

    As far as the monitor information is concerned, what if the display was generating by modulating a "white noise" signal? In other words, you start out with a white noise signal, & direct it preferentially toward different parts of the screen to vary intensity (I'm assuming you could deal w/color issues in this somehow).

    I guess this would be like the old vector-tracing scopes, except the phosphors would probably decay a lot more rapidly, allowing the pictures to be to be changed more quickly. The random nature of the base signal might make the picture a little more "fuzzy" (depending on the precision of the modulation electronics). As a good benefit, you wouldn't have any problems with refresh rates - since a "refresh signal" wouldn't really exist.

  • I once worked in one of those things for a month. Yes, there were chaps in green outside guarding us with rifles and big dogs too.

    Despite the fact that the Tempest shielding manual read awfully like Reich's instructions for building an Orgone Accumulator, I continually felt like crap. I never saw daylight, I breathed more ozone than orgone, and Navy issue coffee is the worst stuff anyone ever fed coders on.

  • Maybe they're planning on using spread-spectrum techniques with a "random number" to seed which frequency it uses, or similar.

    --
  • I'm glad that I have some old 386 cases that have 20 pounds of steel in them.

    Now I just need to slap some ferrite cores on all of my cables, make sure all my power runs through an active UPS, and turn my computer room into a faraday cage. ;)

    Unfortunately, this is no laughing matter.

    It is actually slightly frightening that the price of this technology is dropping, if anyone can save up and buy this type of device, nothing is safe.

    I know that my bank does not use tempest resistant equipment. Here's a scenario: Thief leaves a tempest scanner in a lunchbox computer (mostly shielded of course) in his car that happens to be parked next to the bank or a vulnerable atm machine....a week later he records the acct#s to mag cards and writes a list of pins. Then in person, at an ATM that dosen't have a camera (yes there are a few of those still out here in rural america) and empties the machine.

    Another scenario: Snoops watch neighborhood computer use and start extoring money out of people that look at naughty porn.

    Another scenario: A small startup firm is cash strapped, but has developed a crucial piece of software for this new technology. Snoops lift the software, business plan, and pricing scheme out of the startup's computers. Well funded snoops beat the startup to the punch and the startup goes out of business.

    A scenario that would be very likely: A competing local company pulls a customer list off of your computer, along with your price list, vendor list, and all of your other vital information.


    It changes the picture completely. I can secure my computers to a reasonable extent, but can my Bank, ISP, Phone Company, Power Company, Credit Card company, etc.

    Then again, we could just drive past microsoft and grab a copy of the source code for windows too!
  • I mean it's not like packet sniffing. It is too expensive to go around van ecking script kiddies and other kinda low level computer criminals. To me the main application of this is industrial espionage. It's kind of a cool spy type thing and if it makes it into the main stream media we can probably expect a james bond movie mention.

    But I have a hard time believing that this is really a threat to my right to privacy at least for the moment. This card certainly would be if someone really wanted to see me entering my pin in an atm, or my credit card number when I was buying at amazon or whatever. But that's not really an issue of rights or whatever, it just means that petty criminals are going to have access to this technology and then the nightly news will have something new to stir up paranoia about and every company will make a tempest shielded laptop for everyone and then nothing will come of it.

    I'm afraid that this is not really about rights so much as vulnerabilities to crime and fraud. If you are a terrorist or a revolutionary or you are worried that you will be spied on while you are using your computer to plan or talk about crimes, stop. If you are a known terrorist or revolutionary then do not use computers, meet your cronies in dark back alleys and you are fine.

    I think we (I am assuming most of you are not criminals) are only really going to be at risk when the technology comes to the point that the police can troll up and down the streets in vans and then bust in on anyone they can catch doing something wrong. And I bet that violates the watcha-callit... Constitution thingy.

    So in the mean time I guess I can just keep an eye out for the flowers by irene vans outside my house and go on with my unshielded self.

  • How about something like the WWII German Enigma encryption machine to rotate the letters? A bit big and clunky for a mechanical version, and an electronic version would probably be "tempestable" as well. Though you could have 100s of "rotors".

    But then again, you could always get a manual typewriter.

    I wonder what the frame rate for quake would be :)
  • good points, but I disagree with one of them, and it's one I wrote about too:

    " know that my bank does not use tempest resistant equipment. Here's a scenario: Thief leaves a tempest scanner in a lunchbox computer (mostly
    shielded of course) in his car that happens to be parked next to the bank or a vulnerable atm machine....a week later he records the acct#s to mag cards and writes a list of pins. Then in person, at an ATM that dosen't have a camera (yes there are a few of those still out here in rural america) and empties the machine."

    because of this:
    Does your atm print your account number on the screen? anywhere?
    I guess it could be grabbed off the card reader, but I'm not sure about that. Because the card reader is in the machine and most atms are embeded in concrete and metal at least. Not the ones in delis tho. They are more or less just computers in a shitty metal tool box. And it's the same with the atm keypad, if your pin isn't in clear text on the screen (the biggest target) then there is much less chance it's gonna be grabbed from the keypad. (I am just guessing, so someone tell me I'm wrong and it's just as easy to grab the radiation from anything that gives it off.)

    And if you want to defeat the atm cameras wear a hooded sweatshirt and sunglasses and a hankie over your mouth. Bound to work fine.
  • With all the worry/complaining surrounding government spying (think Echelon) I don't like the idea of my neighbors also spying on me, nor do I want to spy on them.
  • I know, I know, it's not possible...

    Of course it's possible! It'll mean a reworking of X font handling mechanisms, and it'll certainly be a lot of work, but it definitely *is* possible.

  • And:
    ** Netscape 5.0 released
  • I would tend to think that putting out white noise on the same frequency as the byproducts of your moniter / keyboard / disk drive would be a great way to get video distortions on your screen, random keypresses detected by the computer or possible corrupt data from the HD. You would end up having to shield you computer against the exact same frequencies to prevent errors as you would have had to to beat a TEMPEST scan.
  • All this thing is is a tuner card on a pci board.

    BFD. Ham radio people have been making stuff like this for years. Maybe not so nice a version, but hey...

    Of course, it is a difference when it's a mass-market item, and more people have the ability to hack away at the software.

    Anyway, basically the card is a variable tuner to go through the spectrum and see what's out there. Pipe any signals you may find into the system and decode to your hearts content...

    It's pretty entertaining what's out there on the airwaves.. Fun with HAM radios.

    ---
  • Well yeah, in that sense, anything is possible. The problem is that it would break all of the current X-apps that need fonts. I guess there could be backwards-compatibility... I don't really know much about it.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • Everybody keeps mentioning the fact that a Tempest can scan the RF noise for 1000 yards to capture video signals. How does it distinguish between multiple monitors within this range? Ie, can it pick only one of many sync rates? or does some funky DSP filter out the other monitors? Or do other monitors distort the signal enough that it can act like a jammer?
  • I think by they they meant that the microcontroller that is in the keyboard should scan the rows of the keyboard randomly, rather than sequentially.


    Howerver, there is a much simpler approach to reading a keyboard in a hard to read fashion: you don't scan! Instead, pressing a key ties the row and column together, and thus pulls the column up and the row down. You read the row and column with comparators, and thus no scanning. We do this on the equipment I help design because since we are measuring radio signals, we cannot be trashing the spectrum up.


    IIRC, one time they did a Tempest survey on a computer that passed with flying colors, not because it didn't emit any signals, but rather because it threw out so much hash you couldn't recover any useful information from it.


    Sounds like the old TRS-80 Model I: plastic case with no sheilding at all. You could pick one of those babies up on an AM radio for a quarter mile!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.