VAN ECK DEVICES The idea of intercepting the electromagnetic emissions from computer hardware has a long history. It's been known to be possible since the 1960s, and was first discussed publicly in 1967. In the 1970s, the NSA started a program in this field, called Tempest; this led to the framing of the Tempest standards for equipment designed to be resistant to electromagnetic interception. Germany discovered the problems during an exercise with NATO in 1977; the DDR's Minister of Security said something about it in 1984, and, in the same year, the Swedish government introduced regulations on the amount of electromagnetic leakage allowed from computers. Van Eck published his paper about electromagnetic surveillance in 1985. Every piece of hardware radiates in some way; however, not all emissions are dangerous. The only really serious ones are from places where data is being processed serially; particularly with cached chips, it's very hard to disambiguate the traffic on the processor bus and even harder to do anything with it afterwards. The most dangerous emissions are those from monitors and from lines where data is transmitted serially (RS232, Ethernet …). Also, dangerous emissions have to have structure; there's little to be learned from tapping V- or H-sync signals, though, as you will read later, their presence tells you that there's a monitor around. All electrical activity generates electromagnetic radiation; the three sorts of information which are easy to intercept are signals coupling to things which act as antennae, surface waves running along the surface of metal objects in the vicinity, and modulations of the power supply. At this point, a Demonstration was performed. Photos are available elsewhere; basically, the setup consisted of a standard PC (the brand name wasn't given, for legal reasons), a large antenna, an elaborate amplifier, and a normal television. Surface waves were detected with a waveguide-shaped adapter, and power supply modulations were detected by capacitative coupling to the power line using one of the devices used to transmit audio along power lines to monitor a baby sleeping in another room. In all cases, the display on the PC was replicated on the television at a slightly different scale. The distance between the systems was no more than five metres in the on-stage display, though it was claimed that you could get decent results at much greater distances; the antenna method should work at a range of 15 metres, and longer with more sophisticated amplifiers, the surface-current method (where the surface-current adapter was connected around one of the power lines to the computer) can work at 100m in ideal circumstances, and capacitative coupling only really works at short range. Note that this was a PC which passed all of the EC requirements for emissions; machines around in 1980 were substantially more emissive (you couldn't listen to a long-wave radio whilst a BBC Micro was turned on in the same house, for example). How It Works PC monitors and televisions operate on the same principle; you have an electron beam moving back and forth across the screen. Some years ago, PCs and TVs even used the same scanning frequencies, though nowadays PCs tend to display higher resolutions and work at higher refresh rates; this is not an insuperable problem, but tends to mean that the aspect ratio of the display looks rather odd if you're receiving with a normal TV. What's detected is an aggregate of the colours on the screen. Basically, you lock onto the horizontal and vertical sync frequencies transmitted by the monitor, and use these to generate new horizontal and vertical sync pulses for the TV; you feed the signal detected by your antenna to the pixel input of the TV, and feed in your separately-generated, clean pulses separately. How far away does it work? Define the range of a van Eck device as the longest distance away from the machine you're monitoring at which the picture on the monitor may be read. In practise, it's found that the picture is readable when the S/N ration is about 1.3 : 1. Using the standard antenna method with a TV as a detector, the range is about 100 metres; using substantially more sophisticated detectors, the range might be as much as 500 metres. The surface wave method has a lower range, depending on the dielectric coefficient of the surroundings of the pipe down which the data is travelling; in a building with a predominantly-wooden structure, you could detect surface waves on heating pipes at a distance of 30 or 40 metres. This is an interesting distance, because it means that you can detect the signal from the adjacent floors in commercial premises. Getting data from the power supply depends very much on details of the construction of the PSU; at the very best, the signal will only be detectable as far as the next transformer in the system. The emissions from a standard PC monitor are anisotrophic; they are substantially stronger to the sides of the display than they are in front and behind. Possible Precautions Modify your computer; this is impractical for end users, but is done to produce Tempest-compliant systems for the truly paranoid. Operate your computers in shielded rooms. Shielding rooms is not remotely cheap; you need to line the walls with sheet copper in a way similar to that used to avoid electromagnetic pulses, use special conducting glass in the windows, and use airlock-style doors with a conducting rubber gasket round the outside, and even then you have to take great care over the design of your power supply. Probably the easiest method is to use a jamming strategy; by working out what wavelengths your computer emits on and then putting a small transmitter, broadcasting random noise on those wavelengths, next to the computer. At this point the talk dissolved. The workshop afterwards was distinctly more interesting; some very, very strange things were mentioned. The Workshop According to my notes, the workshop consisted of a large number of disconnected discussions. I'll enumerate some of them below : * The existence of a device for firing very small diodes through the ventilation slots in the back of a PC, so that it has a very specific spectral response were you to bounce a signal off it, so that the PC can thereafter be easily tracked. * Using the heating system as a convenient source of antennae for signals to couple to, particularly when the people you want to monitor are in the same building but a different floor. * The existence of a device, designed for use by FBI field officers, which clamps onto a pipe and takes advantage of the fact that the ground signal is usually connected to the pipes. This was in the pre-PC era, so the machine was used to distinguish between the signals produced by the action of different letters on electric typewriters * The VMS database management system 'PROMISE', which apparently used Walsh wavelets (whatever they are) to provide a convenient way to modulate the signals on the system bus to transmit the entire contents of the database to a suitably-equipped listener elsewhere. There are those who claim that the company producing the software was purchased by the NSA, and continued producing the software … * The fact that even laptops are vulnerable to TEMPEST attacks, since they tend to have scanned displays and to have video output ports at the back. The solution to this, which is to transmit the signals to the display using a low-amplitude system and to amplify them in the display itself. * A secure laptop manufactured by 'GRID', which had bubble memory and a plasma display. It was costly and heavy; its main customers were intelligence agencies. Certain models had a DES chip, identified by a 'X' etched in the case. If you find one of these, buy it; they were supposed to be decommissioned before disposal, by a process involving smashing the display and shooting through the case at the point marked with the 'X'. * That detecting the presence of monitors is fairly straightforward using a spectrum analyser; the horizontal-sync pulse can be found by Fourier analysis, since it is a fairly strong high-frequency signal. The vertical-sync pulse is rather harder to find, but you can use a phase-locked loop to do this. Once you've detected the H- and V-sync pulses, you can subtract them from the received data and insert better-quality new ones. * That it's probably possible to monitor several monitors at once, or to monitor a single specified one, by using a few very precise notch filters, or a comb filter, and looking for the sub-percent differences in the v- and h-sync frequencies. It's not quite clear how much more stable the frequencies are than their accuracy. * The idea of handling the data digitally, by using a standard heterodyne circuit to remove the FM carrier waves; I don't quite see what they're talking about here, since the bandwidth of even a VGA signal is fairly substantial. Once the data is in the digital domain, handle it with DSPs; fast DSPs are expensive, but obtainable. http://DSPnews.com is a relevant site here. * What you really want is the data on the CRT, not the display. In most business-type applications, the image on the CRT is constant over a large number of refreshes, so you can capture it a bit at a time into a large block of video RAM and then handle it with cheaper DSPs. Using not much more video RAM than an elaborate graphics card, you could produce fairly good reconstructions of the images from a dozen CRTs. Locating sources; elaborate antennae * If you've got access to multiple antennae, you can use well-known interferometric techniques from radio astronomy to get very precise location data; you're talking about picking out a single monitor in an office knowing only its precise V-sync and H-sync frequencies. * If you're wanting to work from a substantial distance, use a large array of antennae and correct by computer for the phase differences in the incoming signal (since you know where the monitor is by the techniques above). You can do this with independent antennae if you're very clever, but you need enormously accurate timebases. Apparently there are interesting techniques involving optical holography to reconstruct signals without ridiculous computing requirements. Tapping networks * Using twisted-pair cable removes dipole but not quadrapole radiation - but quadrapole radiation has an intensity which drops off as r-4, which makes it impractical to detect at any great distance. To get a good signal, stick a conducting wire between the pair and let it stick out both sides (coupling to the magnetic field between the wires). Alternatively, wrap a one-turn transformer around the wire. * For coax Ethernet, there was an interesting tap resembling a credit card with a keyhole-shaped hole, the straight sides of the keyhole being made of two razorblades. You slide it onto the cable in some inconspicuous place, and it cuts through some parts of the shielding and broadcasts the information on the wire. * Transparent power consumption monitoring - use ground-fault indicators (take 10 turns of wire around cable 1, same on other cable in opposite directions, and measure the voltage. The windings are the sensors required for sampling - insert something inside the cases. Workshop notes on protecting systems * The NSA is claimed to have TEMPEST-enabled buildings, with copper-tinted windows. * It's fairly hard to make a TEMPEST-enabled room; to provide a conductive shell, you need substantial quantities of copper sheeting (and 16-gauge copper sheeting is $90 per square metre); the sheets then need to be soldered together at the edges. * Alternatively, you could use TEMPEST wallpaper, which is a fabric with many short copper fibres embedded; these act as a series of small electrode, and produce a 45db attenuation at all frequencies. * For a cheaper solution, use Styrofoam blocks clad on both sides with aluminium foil. * Remember that rooms have six sides, not four; you have also to shield the roof and the floor * You really want a solid conductive shell. This makes it quite hard to run services in; water pipes are out, for example. Windows are hard to protect, so the simplest solution is not to have any; since the room is hermetically sealed, you may well need ancillary bottled oxygen. * The most elegant way of getting power into the room is probably to use a motor-generator unit like those used to provide stable power to IBM mainframes; run the shaft through the wall using a few conducting gaskets. * It's probably easiest to forget about networking and revert to sneakernet; if you really want to use Ethernet, either bring it in via a convoluted channel, or use fibre-optics. * Doors can be protected by putting metal plates on them and using conductive gaskets to seal them; there is a magazine called 'Electronic Compliance' in which such things as conductive gaskets are advertised.