1992-10-20 - Tempest.

Header Data

From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: 9e84d4e02ea65ce14fce0d171ef88d618ef9a2c7078fabeaa88d63189c385067
Message ID: <9210201614.AA13762@soda.berkeley.edu>
Reply To: <9210201452.AA01970@soda.berkeley.edu>
UTC Datetime: 1992-10-20 16:15:10 UTC
Raw Date: Tue, 20 Oct 92 09:15:10 PDT

Raw message

From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Tue, 20 Oct 92 09:15:10 PDT
To: cypherpunks@toad.com
Subject: Tempest.
In-Reply-To: <9210201452.AA01970@soda.berkeley.edu>
Message-ID: <9210201614.AA13762@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain



About Tempest.

The ability to monitor is real; it's more powerful than you would first
imagine.

You can get a lot of insight into what is possible by looking at what
is sold as parts for Tempest certification.  There is some trade
publication devoted entirely to such matters; it's called EMI/RFI
News, or Interference Protection News, or something like that.  It's
free to qualified subscribers.  The articles are interesting, but
cannot delve into the really interesting stuff.  But the ads!  Look at
what people are selling, and remember that it is protecting against
something.  Stuff like copper impregnated gasket material, both for
computer cases and for doors (in walls).  Copper braid and cloth.
Conductive glues and caulks.  Special connectors.  Electrical
isolators.  Fiber optics.

(Aside: If you don't know how to be a qualified subscriber, you're no
hacker.  Look closely at the subscription card and then figure out
where the publisher of a free magazine gets its money.)

What is possible?  CRT monitoring.  A Dutch guy named van Eyck
demostrated six years ago or so a CRT monitoring system which he built
out of spare parts.  It consisted of an TV roof antenna, a non-detent
UHF tuner (which you can make yourself by removing the detent plate
from an old TV), and a multi-scanning monitor.  No amplification
beyond what was in the tuner, no sync stabilization, no special
directional antennas or any other tricks.  He was able to reliably
pick up monitor emissions from 100 meters, if I remember correctly.
Fancier equipment knows what your screen sync rate is, uses bandpass
filters, uses better antennas, knows to look for mostly-persistent
frame information, looks for emissions signatures, and is able to read
one CRT out of a hundred at half a mile.  I suspect this is a low
estimate of the ability of modern equipment.

Hal mentions using flat panel displays to combat emissions.  This
works, as evidenced by the continued existence of Grid Computer.
Remember Grid, who came out with these way-expensive gas plasma
laptops around 1985/6?  The reason they sold so many of those and are
still around was that a large number of them were Tempest certified.
(Even larger revenues!)  I understand that the Tempest spec Grids had
a thin layer of gold foil in front of the screen, even so.  Yes, gold
thin enough to see through.

Signal wire monitoring.  Using twisted pair or coax cable, reduces
transmitted energy down to very low levels, improving energy transfer
and reducing monitorability.  But even with zero radiated energy there
is still the near field of the wire which can be inductively tapped.
No conductive contact is necessary.  If you can put a wire next to my
phone line somewhere, you can tap my phone.  It's by nature a high
impedance tap, requring sensitive ampilifiers but at the same time
difficult to find even by a reflectometer.

Without a twisted pair, the situation is worse.  Keyboards for the PC
use a serial protocol at a fixed frequency.  The cables are not
twisted pair.  I haven't heard anything about that specifically, but I
presume that keystrokes can be read extremely easily.

CPU monitoring.  Yes, it's possible.  I've heard that it is possible
to actually run a CPU in parallel with a monitored one.  In order to
do this, you need to correlate signals in real time across a fairly
wide RF spectrum.  Each CPU pin or I/O bus signal occurs in a
different physical location inside the case.  The case is active in
terms of emmission, reflecting signals around like mad.  All these
different physical locations and reflections give rise to phase
differences and interference patterns.  Once you figure out what the
signatures of the various signals are, you can separate them out from
each other by correlation and deconvolution.  George's concern about
emissions through phone lines falls into this category.

Other stuff.  I've heard rumors about using microwave pinging to
determine stuff about electrical equipment.  Or about implanting
passive devices that alter the EM field locally in order to make
monitoring easier.  It's safe to presume that there is some amazing
stuff going on.  Read The Puzzle Palace for more hints.  (Like the
valley in WV which is one big antenna.)

Emissions monitoring is also all economics.  The price to monitor
increases with each more sophisticated attack.  CRT's are easy, CPU's
are hard.  I would like to see public research in this area, just like
there is public research in cryptography.  Until the public has a
better idea of what various attacks cost, there can't be rational
decisions about emissions security.

Eric





Thread