Active Countermeasures Against Tempest Attacks
Arnold G. Reinhold
reinhold at world.std.com
Sun Mar 9 00:14:45 EST 2003
At 10:46 PM -0800 3/7/03, Bill Frantz wrote:
>It has occurred to me that the cheapest form of protection from tempest
>attacks might be an active transmitter that swamps the signal from the
>computer. Such a transmitter would still be legal if its power output is
>kept within the FCC part 15 rules.
>
>Take, for example, the signal from a CRT monitor. The monitor signal
>consists of large signals which are the vertical and horizontal sync
>pulses, and smaller signals which are the levels of each of the phosphor
>guns.
>
>The simplest countermeasure would be random RF noise which is many orders
>of magnitude stronger than the signal from the monitor. However, with this
>system, the attacker can average many fields from the monitor and perhaps
>still recover the signal because any give pixel is the same, while the
>noise is random. (Or at least the pixels change slowly compared with the
>fields, giving lots of data to average.)
>
>The next more complex version sends the same random screen over and over in
>sync with the monitor. Even more complex versions change the random screen
>every-so-often to try to frustrate recovering the differences between
>screens of data on the monitor.
>
>Can such a device be built and still stay within the Part 15 rules?
>
>Cheers - Bill
>
Part 15 is pretty complex, but reading a summary at
http://www.arrl.org/tis/info/part15.html suggests a number of
problems. First there are dozens of bands where intentional radiators
are not permitted to operate (15.205). Designing a noise source that
avoided all these band might be difficult.
Second, the permitted signal levels associated with intentional
radiators (15.209) are very similar to those permitted for
unintentional radiators (15.109), including most consumer grade CRT
monitors (Class B). Commercial monitors (Class A) are permitted
higher levels of radiation, but I suspect most monitors made today
are Class B.
Now the radiation from a monitor is mostly sweep signals and the
like, which carry no information. The signals that drive the CRT guns
are much weaker. But I suspect you will need the noise to be much
more powerful to obliterate the signal carrying data. The situation
is even worse if the attacker suspects what the data may contain. He
can then use correlation techniques to find the data well below the
noise level.
I'd also point out that the noise source has be be co-located with
the data signal. Otherwise, the attacker can use a directional
antenna to capture the noise signal without the data signal, allowing
it to be subtracted from the data+noise signal. Similarly, it will
be vital to change the noise pattern whenever the content of the CRT
changes, otherwise the attacker who had reason to suspect when the
screen changed can subtract data1+noise from data2+noise to get
data2-data1, which is likely to leak a lot of information.
I suspect it would be cheaper to shield the CRT or operate in a Faraday cage.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list