Van Eck phreaking

Last updated

Van Eck phreaking, also known as Van Eck radiation, is a form of eavesdropping in which special equipment is used to pick up side-band electromagnetic emissions from electronic devices that correlate to hidden signals or data to recreate these signals or data to spy on the electronic device. Side-band electromagnetic radiation emissions are present in (and with the proper equipment, can be captured from) keyboards, computer displays, printers, and other electronic devices.

Contents

In 1985, Wim van Eck published the first unclassified technical analysis of the security risks of emanations from computer monitors. [1] [2] This paper caused some consternation in the security community, which had previously believed that such monitoring was a highly sophisticated attack available only to governments; van Eck successfully eavesdropped on a real system, at a range of hundreds of metres, using just $15 worth of equipment plus a television set.

As a consequence of this research, such emanations are sometimes called "van Eck radiation", and the eavesdropping technique van Eck phreaking. Government researchers were already aware of the danger, as Bell Labs had noted this vulnerability to secure teleprinter communications during World War II and was able to produce 75% of the plaintext being processed in a secure facility from a distance of 80 feet (24 metres). [3] Additionally, the NSA published Tempest Fundamentals, NSA-82-89, NACSIM 5000, National Security Agency (Classified) on February 1, 1982. Also, the van Eck technique was successfully demonstrated to non-TEMPEST personnel in Korea during the Korean War in the 1950s.

While phreaking is the process of exploiting telephone networks, it is used here because of its connection to eavesdropping. Van Eck phreaking of CRT displays is the process of eavesdropping on the contents of a CRT by detecting its electromagnetic emissions.

Basic principle

Information that drives the video display takes the form of high-frequency electrical signals. The oscillation of these electric currents create electromagnetic radiation in the RF range. These radio emissions are correlated to the video image being displayed, so, in theory, they can be used to recover the displayed image.

CRTs

In a CRT, the image is generated by an electron beam that sweeps back and forth across the screen. The electron beam excites the phosphor coating on the glass and causes it to glow. The strength of the beam determines the brightness of individual pixels (see CRT for a detailed description). The electric signal which drives the electron beam is amplified to up to around one hundred volts from TTL circuitry. This high-frequency, high-voltage signal creates electromagnetic radiation that has, according to Van Eck, "a remarkable resemblance to a broadcast TV signal". [2] The signal leaks out from displays and may be captured by an antenna, and once synchronization pulses are recreated and mixed in, an ordinary analog television receiver can display the result. The synchronization pulses can be recreated either through manual adjustment or by processing the signals emitted by electromagnetic coils as they deflect the CRT's electron beam back and forth. [2]

In the paper, Van Eck reports that in February 1985, a successful test of this concept was carried out with the cooperation of the BBC. Using a van filled with electronic equipment and equipped with a VHF antenna array, they were able to eavesdrop from a "large distance". There is no evidence that the BBC's TV detector vans used this technology, although the BBC will not reveal whether or not they are a hoax. [4]

Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of Tech TV's The Screen Savers on December 18, 2003. [5] [6]

LCDs

In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000. [7]

Communicating using Van Eck phreaking

In January 2015, the Airhopper project from Georgia Institute of Technology, United States demonstrated (at Ben Gurion University, Israel) the use of Van Eck Phreaking to enable a keylogger to communicate, through video signal manipulation, keys pressed on the keyboard of a standard PC, to a program running on an Android cellphone with an earbud radio antenna. [8] [9] [10]

Tailored access batteries

A tailored access battery is a special laptop battery with Van Eck Phreaking electronics and power-side band encryption cracking electronics built-into its casing, in combination with a remote transmitter/receiver. This allows for quick installation and removal of a spying device by simply switching the battery. [11]

Potential risks

Van Eck phreaking might be used to compromise the secrecy of the votes in an election using electronic voting. This caused the Dutch government to ban the use of NewVote computer voting machines manufactured by SDU in the 2006 national elections, under the belief that ballot information might not be kept secret. [12] [13] In a 2009 test of electronic voting systems in Brazil, Van Eck phreaking was used to successfully compromise ballot secrecy as a proof of concept. [14]

Further research

Markus Kuhn has discovered several low-cost techniques for reducing the chances that emanations from computer displays can be monitored remotely. [15] With CRT displays and analog video cables, filtering out high-frequency components from fonts before rendering them on a computer screen will attenuate the energy at which text characters are broadcast. With modern flat panel displays, the high-speed digital serial interface (DVI) cables from the graphics controller are a main source of compromising emanations. Adding random noise to the least significant bits of pixel values may render the emanations from flat-panel displays unintelligible to eavesdroppers but is not a secure method. Since DVI uses a certain bit code scheme that tries to transport a balanced signal of 0 bits and 1 bits, there may not be much difference between two pixel colors that differ very much in their color or intensity. The emanations can differ drastically even if only the last bit of a pixel's color is changed. The signal received by the eavesdropper also depends on the frequency where the emanations are detected. The signal can be received on many frequencies at once and each frequency's signal differs in contrast and brightness related to a certain color on the screen. Usually, the technique of smothering the RED signal with noise is not effective unless the power of the noise is sufficient to drive the eavesdropper's receiver into saturation thus overwhelming the receiver input.

See also

Related Research Articles

<span class="mw-page-title-main">Analog television</span> Television that uses analog signals

Analog television is the original television technology that uses analog signals to transmit video and audio. In an analog television broadcast, the brightness, colors and sound are represented by amplitude, phase and frequency of an analog signal.

<span class="mw-page-title-main">Cathode-ray tube</span> Vacuum tube often used to display images

A cathode-ray tube (CRT) is a vacuum tube containing one or more electron guns, which emit electron beams that are manipulated to display images on a phosphorescent screen. The images may represent electrical waveforms (oscilloscope), pictures, radar targets, or other phenomena. A CRT on a television set is commonly called a picture tube. CRTs have also been used as memory devices, in which case the screen is not intended to be visible to an observer. The term cathode ray was used to describe electron beams when they were first discovered, before it was understood that what was emitted from the cathode was a beam of electrons.

<span class="mw-page-title-main">Computer monitor</span> Computer output device

A computer monitor is an output device that displays information in pictorial or textual form. A discrete monitor comprises a visual display, support electronics, power supply, housing, electrical connectors, and external user controls.

<span class="mw-page-title-main">RGB color model</span> Color model based on red, green and blue

The RGB color model is an additive color model in which the red, green and blue primary colors of light are added together in various ways to reproduce a broad array of colors. The name of the model comes from the initials of the three additive primary colors, red, green, and blue.

<span class="mw-page-title-main">Vacuum tube</span> Device that controls current between electrodes

A vacuum tube, electron tube, valve, or tube, is a device that controls electric current flow in a high vacuum between electrodes to which an electric potential difference has been applied.

<span class="mw-page-title-main">Radio wave</span> Type of electromagnetic radiation

Radio waves are a type of electromagnetic radiation with the longest wavelengths in the electromagnetic spectrum, typically with frequencies of 300 gigahertz (GHz) and below. At 300 GHz, the corresponding wavelength is 1mm, which is shorter than the diameter of a grain of rice. At 30 Hz the corresponding wavelength is ~10,000 kilometers, which is longer than the radius of the Earth. Wavelength of a radio wave is inversely proportional to its frequency, because its velocity is constant. Like all electromagnetic waves, radio waves in a vacuum travel at the speed of light, and in the Earth's atmosphere at a slightly slower speed. Radio waves are generated by charged particles undergoing acceleration, such as time-varying electric currents. Naturally occurring radio waves are emitted by lightning and astronomical objects, and are part of the blackbody radiation emitted by all warm objects.

<span class="mw-page-title-main">Framebuffer</span> Portion of random-access memory containing a bitmap that drives a video display

A framebuffer is a portion of random-access memory (RAM) containing a bitmap that drives a video display. It is a memory buffer containing data representing all the pixels in a complete video frame. Modern video cards contain framebuffer circuitry in their cores. This circuitry converts an in-memory bitmap into a video signal that can be displayed on a computer monitor.

<span class="mw-page-title-main">Faraday cage</span> Enclosure of conductive mesh used to block electric fields

A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. A Faraday shield may be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials. Faraday cages are named after scientist Michael Faraday, who first constructed one in 1836.

<span class="mw-page-title-main">Tempest (codename)</span> Espionage using electromagnetic leakage

TEMPEST is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).

<span class="mw-page-title-main">Selectron tube</span> Early and obsolete type of computer memory

The Selectron was an early form of digital computer memory developed by Jan A. Rajchman and his group at the Radio Corporation of America (RCA) under the direction of Vladimir K. Zworykin. It was a vacuum tube that stored digital data as electrostatic charges using technology similar to the Williams tube storage device. The team was never able to produce a commercially viable form of Selectron before magnetic-core memory became almost universal.

This is an index of articles relating to electronics and electricity or natural electricity and things that run on electricity and things that use or conduct electricity.

<span class="mw-page-title-main">Storage tube</span>

Storage tubes are a class of cathode-ray tubes (CRTs) that are designed to hold an image for a long period of time, typically as long as power is supplied to the tube.

Markus Guenther Kuhn is a German computer scientist, currently working at the Computer Laboratory, University of Cambridge and a fellow of Wolfson College, Cambridge.

Radiofrequency MASINT is one of the six major disciplines generally accepted to make up the field of Measurement and Signature Intelligence (MASINT), with due regard that the MASINT subdisciplines may overlap, and MASINT, in turn, is complementary to more traditional intelligence collection and analysis disciplines such as SIGINT and IMINT. MASINT encompasses intelligence gathering activities that bring together disparate elements that do not fit within the definitions of Signals Intelligence (SIGINT), Imagery Intelligence (IMINT), or Human Intelligence (HUMINT).

Countersurveillance refers to measures that are usually undertaken by the public to prevent surveillance, including covert surveillance. Countersurveillance may include electronic methods such as technical surveillance counter-measures, which is the process of detecting surveillance devices. It can also include covert listening devices, visual surveillance devices, and countersurveillance software to thwart unwanted cybercrime, such as accessing computing and mobile devices for various nefarious reasons. More often than not, countersurveillance will employ a set of actions (countermeasures) that, when followed, reduce the risk of surveillance. Countersurveillance is different from sousveillance, as the latter does not necessarily aim to prevent or reduce surveillance.

<span class="mw-page-title-main">Riometer</span>

A riometer is an instrument used to quantify the amount of electromagnetic-wave ionospheric absorption in the atmosphere. As the name implies, a riometer measures the "opacity" of the ionosphere to radio noise emanating from cosmic origin. In the absence of any ionospheric absorption, this radio noise, averaged over a sufficiently long period of time, forms a quiet-day curve. Increased ionization in the ionosphere will cause absorption of radio signals, and a departure from the quiet-day curve. The difference between the quiet-day curve and the riometer signal is an indicator of the amount of absorption, and is measured in decibels. Riometers are generally passive radio antenna operating in the VHF radio frequency range (~30-40 MHz). Electromagnetic radiation of that frequency is typically Galactic synchrotron radiation and is absorbed in the Earth's D region of the ionosphere.

<span class="mw-page-title-main">TV detector van</span> Van used to detect the presence of a television set

TV detector vans are vans which contain equipment that can detect the presence of television sets in use. These vans have been used by the General Post Office and later by contractors working for the BBC to enforce the television licensing system in the UK, the Channel Islands and on the Isle of Man.

Electrically operated display devices have developed from electromechanical systems for display of text, up to all-electronic devices capable of full-motion 3D color graphic displays. Electromagnetic devices, using a solenoid coil to control a visible flag or flap, were the earliest type, and were used for text displays such as stock market prices and arrival/departure display times. The cathode ray tube was the workhorse of text and video display technology for several decades until being displaced by plasma, liquid crystal (LCD), and solid-state devices such as thin-film transistors (TFTs), LEDs and OLEDs. With the advent of metal–oxide–semiconductor field-effect transistors (MOSFETs), integrated circuit (IC) chips, microprocessors, and microelectronic devices, many more individual picture elements ("pixels") could be incorporated into one display device, allowing graphic displays and video.

Computer security compromised by hardware failure is a branch of computer security applied to hardware. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. Such secret information could be retrieved by different ways. This article focus on the retrieval of data thanks to misused hardware or hardware failure. Hardware could be misused or exploited to get secret data. This article collects main types of attack that can lead to data theft.

In cryptography, electromagnetic attacks are side-channel attacks performed by measuring the electromagnetic radiation emitted from a device and performing signal analysis on it. These attacks are a more specific type of what is sometimes referred to as Van Eck phreaking, with the intention to capture encryption keys. Electromagnetic attacks are typically non-invasive and passive, meaning that these attacks are able to be performed by observing the normal functioning of the target device without causing physical damage. However, an attacker may get a better signal with less noise by depackaging the chip and collecting the signal closer to the source. These attacks are successful against cryptographic implementations that perform different operations based on the data currently being processed, such as the square-and-multiply implementation of RSA. Different operations emit different amounts of radiation and an electromagnetic trace of encryption may show the exact operations being performed, allowing an attacker to retrieve full or partial private keys.

References

  1. Greenberg, Andy (21 June 2020). "Hacker Lexicon: What Is a Side Channel Attack?". Wired .
  2. 1 2 3 Van Eck, Wim (1985). "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" (PDF). Computers & Security. 4 (4): 269–286. CiteSeerX   10.1.1.35.1695 . doi:10.1016/0167-4048(85)90046-X.
  3. "A History of U.S. Communications Security (Volumes I and II)"; David G. Boak Lectures" (PDF). National Security Agency. 1973. p. 90.
  4. Carter, Claire (27 September 2013). "Myth of the TV detector van?". The Daily Telegraph. Retrieved 27 September 2015.
  5. Van Eck Phreaking
  6. The Screen Savers: Dark Tip – Van Eck Phreaking
  7. Kuhn, M.G. (2004). "Electromagnetic Eavesdropping Risks of Flat-Panel Displays" (PDF). 4th Workshop on Privacy Enhancing Technologies: 23–25.
  8. Air-gapped computers are no longer secure, TechRepublic, January 26, 2015
  9. Original Whitepaper
  10. Airhopper demonstration video, Ben Gurion University
  11. White paper, FDES institute, 1996, page 12.
  12. Dutch government scraps plans to use voting computers in 35 cities including Amsterdam (Herald tribune, 30. October 2006)
  13. Use of SDU voting computers banned during Dutch general elections Archived 2008-09-23 at the Wayback Machine (Heise, October 31. 2006)
  14. "Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking". Slashdot. November 21, 2009.
  15. Kuhn, Markus G. (December 2003). "Compromising emanations: eavesdropping risks of computer displays" (PDF). Technical Report (577). ISSN   1476-2986. UCAM-CL-TR-577. Retrieved 2010-10-29.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.