Active Countermeasures Against Tempest Attacks
Arnold G. Reinhold
reinhold at world.std.com
Mon Mar 10 09:14:59 EST 2003
At 9:35 PM -0500 3/8/03, Dave Emery wrote:
>On Fri, Mar 07, 2003 at 10:46:06PM -0800, Bill Frantz wrote:
>>
>> The next more complex version sends the same random screen over and over in
>> sync with the monitor. Even more complex versions change the random screen
>> every-so-often to try to frustrate recovering the differences between
>> screens of data on the monitor.
>>
>
> Five or six years ago I floated the suggestion that one could do
>worse than phase lock all the video dot clock oscillators in a computer
>room or office to the same master timing source. This would make it
>significantly harder to recover one specific monitor's image by
>averaging techniques as the interference from nearby monitors would have
>exactly the same timing and would not average out as it does in the more
>typical case where each monitor is driven from a video board with a
>slightly different frequency dot clock (due to aging and manufacturing
>tolerances).
The dot clock on a megapixel display is around 70 MHz, or 14
nanoseconds per pixel. Syncing that over some distance is not
trivial. Remember the speed of light is 1 nanosecond/foot. On the
other hand, I think syncing the sweep signals would be enough to
implement your idea and that should not be hard to do, possibly even
in software since they are created on the video card.
Effectiveness is another matter. The attacker could use a directional
antenna to separate out monitors. Even if his equipment was outside
the building, the windows would act like an antenna whose radiation
pattern would be different for the different monitors in the room.
The attacker might be able to discriminate between different monitors
just by driving his van around outside.
Even if he can't distinguish between different monitors, he still
gets a signal that is the sum of the content on each monitor. That
is analogous to a book code and likely just as secure, i.e. not very.
> Modifying existing video boards to support such master timing
>references is possible, but not completely trivial - but would cost
>manufacturers very little if it was designed in in the first place.
Modifying existing monitors to shield the video signal wouldn't cost
that much either. As I understand it the big expense in Tempest rated
equipment is the testing and the tight manufacturing control needed
to insure that the monitors produced are the same as the ones tested.
> And of course one could "improve" the shielding on the monitor
>with the dummy unimportant data so it radiated 10 or 20 db more energy
>than the sensitive information monitor next to it. In many cases this
>might involve little more than scraping off some conductive paint or
>removing the ground on a cable shield.
Simply buying some class A monitors for the dummy data might do what
you want, but I'm not sure 10-20 db of reduced signal to background
buys you much. I've heard numbers of 100 db or more required for
effective Tempest shielding, with Class B shielding (the higher grade
FCC requirement) buying you 40-50 db. See for example
http://www.cabrac.com/RFI_EMI_Tempest.html
>
> I am sure that it would take little effort with a spectrum
>analyzer and some hand tools to defeat most of the EMI suppression
>in many monitors and whilst this would not be entirely legal under
>FCC rules (at least for a manufacturer or dealer) it probably would
>be closer to legal than deliberately creating rf interference
>with an intentionally radiating jammer.
>
> I imagine, however, that the usefulness of the RF radiated by a
>modern TFT flat panel display fed with DVI digital video is already much
>less as there is no serial stream of analog pixel by pixel video energy
>at any point in such an environment. Most TFTs do one entire row or
>column of the display at a time in parallel which does not yield an
>easily separated stream of individual pixel energy. Thus extracting
>anything resembling an image would seem very difficult.
The signal is still serialized in digital form at some point on a
pixel by pixel basis. Because flat panels do not have the high-power
sweep signals of CRT monitors, the overall shielding needed to meet
Class B may be less. That might make life easier for attackers.
This does suggest one simple approach that might be useful for flat
panels displaying sensitive text: chose foreground and back ground
colors that have the same number of on and off bits in each color
byte pair, e.g. foreground red and background red each have three
bits on, both blues have four bits on, both greens have five bits on.
That might make background and foreground more difficult to
distinguish via RF radiation in an all digital system.
>
> So perhaps the era of the simplest to exploit TEMPEST threats
>is ending as both optical and rf TEMPEST is much easier with raster
>scan pixel at a time CRT displays than it is with modern more parallel
>flat panel display designs.
>
On the other hand, remember that the earliest Tempest systems were
built using vacuum tubes. An attacker today can carry vast amounts of
signal processing power in a briefcase.
All in all I would not put much faith in ad hoc Tempest protection.
Without access to the secret specifications and test procedures, I
would prefer to see highly critical operations done using battery
powered laptops operating in a Faraday cage, with no wires crossing
the boundary (no power, no phone, no Ethernet, nada). In that
situation, one can calculate shielding effectiveness from first
principles.
http://www.cs.nps.navy.mil/curricula/tracks/security/AISGuide/navch16.txt
suggests US government requirements for a shielded enclosure are 60
db minimum.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list