Active Countermeasures Against Tempest Attacks

Arnold G. Reinhold reinhold at world.std.com
Mon Mar 10 09:14:59 EST 2003 

At 9:35 PM -0500 3/8/03, Dave Emery wrote:
>On Fri, Mar 07, 2003 at 10:46:06PM -0800, Bill Frantz wrote:
>>
>>  The next more complex version sends the same random screen over and over in
>>  sync with the monitor.  Even more complex versions change the random screen
>>  every-so-often to try to frustrate recovering the differences between
>>  screens of data on the monitor.
>>
>
>	Five or six years ago I floated the suggestion that one could do
>worse than phase lock all the video dot clock oscillators in a computer
>room or office to the same master timing source. This would make it
>significantly harder to recover one specific monitor's image by
>averaging techniques as the interference from nearby monitors would have
>exactly the same timing and would not average out as it does in the more
>typical case where each monitor is driven from a video board with a
>slightly different frequency dot clock (due to aging and manufacturing
>tolerances).

The dot clock on a megapixel display is around 70 MHz, or 14 
nanoseconds per pixel. Syncing that over some distance is not 
trivial. Remember the speed of light is 1 nanosecond/foot. On the 
other hand, I think syncing the sweep signals would be enough to 
implement your idea and that should not be hard to do, possibly even 
in software since they are created on the video card.

Effectiveness is another matter. The attacker could use a directional 
antenna to separate out monitors. Even if his equipment was outside 
the building, the windows would act like an antenna whose radiation 
pattern would be different for the different monitors in the room. 
The attacker might be able to discriminate between different monitors 
just by driving his van around outside.

Even if he can't distinguish between different monitors, he still 
gets a signal that is the sum of the content on each monitor.  That 
is analogous to a book code and likely just as secure, i.e. not very.

>	Modifying existing video boards to support such master timing
>references is possible, but not completely trivial - but would cost
>manufacturers very little if it was designed in in the first place.

Modifying existing monitors to shield the video signal wouldn't cost 
that much either. As I understand it the big expense in Tempest rated 
equipment is the testing  and the tight manufacturing control needed 
to insure that the monitors produced are the same as the ones tested.

>	And of course one could "improve" the shielding on the monitor
>with the dummy unimportant data so it radiated 10 or 20 db more energy
>than the sensitive information monitor next to it.   In many cases this
>might involve little more than scraping off some conductive paint or
>removing the ground on a cable shield.

Simply buying some class A monitors for the dummy data might do what 
you want, but I'm not sure 10-20 db of reduced signal to background 
buys you much.  I've heard numbers of 100 db or more required for 
effective Tempest shielding, with Class B shielding (the higher grade 
FCC requirement) buying you 40-50 db. See for example 
http://www.cabrac.com/RFI_EMI_Tempest.html

>
>	I am sure that it would take little effort with a spectrum
>analyzer and some hand tools to defeat most of the EMI suppression
>in many monitors and whilst this would not be entirely legal under
>FCC rules (at least for a manufacturer or dealer) it probably would
>be closer to legal than deliberately creating rf interference
>with an intentionally radiating jammer.
>
>	I imagine, however, that the usefulness of the RF radiated by a
>modern TFT flat panel display fed with DVI digital video is already much
>less as there is no serial stream of analog pixel by pixel video energy
>at any point in such an environment.  Most TFTs do one entire row or
>column of the display at a time in parallel which does not yield an
>easily separated stream of individual pixel energy.   Thus extracting
>anything resembling an image would seem very difficult.

The signal is still serialized in digital form at some point on a 
pixel by pixel basis.  Because flat panels do not have the high-power 
sweep signals of CRT monitors, the overall shielding needed to meet 
Class B may be less.  That might make life easier for attackers.

This does suggest one simple approach that might be useful for flat 
panels displaying sensitive text: chose foreground and back ground 
colors that have the same number of on and off bits in each color 
byte pair, e.g. foreground red and background red each have three 
bits on, both blues have four bits on, both greens have five bits on. 
That might make background and foreground more difficult to 
distinguish via RF radiation in an all digital system.

>
>	So perhaps the era of the simplest to exploit TEMPEST threats
>is ending as both optical and rf TEMPEST is much easier with raster
>scan pixel at a time CRT displays than it is with modern more parallel
>flat panel display designs.
>

On the other hand, remember that the earliest Tempest systems were 
built using vacuum tubes. An attacker today can carry vast amounts of 
signal processing power in a briefcase.

All in all I would not put much faith in ad hoc Tempest protection. 
Without access to the secret specifications and test procedures, I 
would prefer to see highly critical operations done using battery 
powered laptops operating in a Faraday cage, with no wires crossing 
the boundary (no power, no phone, no Ethernet, nada).  In that 
situation, one can calculate shielding effectiveness from first 
principles. 
http://www.cs.nps.navy.mil/curricula/tracks/security/AISGuide/navch16.txt 
suggests US government requirements for a shielded enclosure are 60 
db minimum.

Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list