Van Eck phreaking

Van Eck phreaking is an electronic espionage technique in which unintentional electromagnetic emissions are received. It therefore belongs to the group of side channel attacks .

functionality

All electrical devices, especially computer screens or tube monitors or unshielded data lines, emit electromagnetic waves . This so-called compromising radiation can be intercepted with suitable receiving devices even over long distances (up to 100 m) in order to eavesdrop on the data traffic. In particular, an attacker can reconstruct the video signal or tap the processed information through the unwanted emission of signal lines.

In addition to this radiation, there are also compromising line-related disturbances such as fluctuations in power consumption.

The BSI recommends the use of protected computers (according to the Zone 1 zone model) for sensitive areas in the IT-Grundschutz measure catalogs.

History

The term goes back to an essay by the Dutch scientist Wim van Eck, who described this technique for the first time in 1985 and also warned of the consequences. A secret NSA research program called Tempest has long looked at this technique. In 1996 it was successfully demonstrated at DefCon IV , a conference of the hacker community. According to the US government, TEMPEST is not an acronym , but numerous backronymes can be found (e.g. Temporary Emanation and Spurious Transmission ).

Protection options

Cryptography is ineffective as a protective measure, since it is not a data stream transmitted in encrypted form in a network that is eavesdropped, but electromagnetic emissions from a computer screen on which the corresponding data is necessarily available unencrypted for the user. Cryptography does not come into play at this level.
An effective, but also costly protective measure is the complete isolation of the work area (according to the Faraday cage principle ), which effectively shields electromagnetic waves, whereby for the windows of the work area z. B. transparent metal film coatings can be applied.
At the device level, the shielding concentrates on the radiating components such as graphics card, cables and monitors. For this purpose, the computer housing is insulated in a HF-tight manner and cables with foils and braided shielding are used.
Low-radiation or radiation-protected devices can make Van Eck phreaking more difficult. However, low radiation levels must not be measured against guidelines as they apply to the awarding of quality seals such as MPR II or TCO . The specifications that apply to these quality seals set limit values to avoid harmful radiation emissions from computer screens. Protection against compromising radiation is not part of this seal of approval.
The BSI has developed the zone model with three essential zones for the military-related area as an implementation of the NATO approval levels in a German model (the standards were renamed at the end of 2006, the old NATO standards are listed in brackets):
- Zone 0 - NATO SDIP 27 Level A (AMSG 720B) location without special requirements
- Zone 1 - NATO SDIP 27 Level B (AMSG 788) The place of use must be slightly protected (equivalent to 20 m free space attenuation)
- Zone 2 - NATO SDIP 27 Level C (AMSG 784) The place of use must be considerably protected (equivalent to 100 m free space attenuation)

The main distinction between them is to be found (with the exception of Zone 0) in the limitation of the permitted radiation to certain strengths at certain bandwidths. The exact limit values of the standards are classified as confidential. Zone 0 devices are also examined for information-carrying radiation peaks using a correlator and these are eliminated.
For compliance with the standards, an approved testing company can be requested from the BSI, which subjects the relevant hardware to the necessary tests and, if desired, also converts it accordingly. For the civil, economic area, measurements according to NATO standards are also possible. The BSI currently has a testing company active in this market.

Low-pass filters can also be used effectively as a protective measure for analogue control, but these are sometimes accompanied by significant losses in quality in terms of detail recognition. In particular, text displays on the screen, which predominantly consist of high-frequency frequency components, are made difficult to identify for eavesdropping attacks by using a low-pass filter. For the user at the workplace, however, there is the disadvantage that the low-pass filter makes text representations in particular appear blurred and is therefore not easy on the eyes. This method is therefore not suitable for constant use in the workplace. Likewise, it only protects the video signal from compromising radiation.
An easy-to-implement protection for analog display devices is provided by tempo-proof character sets in which the contour area of the individual characters has appropriately adapted color gradients. The visible result is similar to a two-dimensional low-pass filtering and makes the text display blurred in individual cases. However, this protection is no longer necessary with digitally controlled displays, since the re-digitized pixel data can also generate the signal here. DVI-D controlled displays work with a different signal transmission (bit coding), which generates bit patterns for every color, including black and white. As a result, these fonts can actually make things worse if the colors used in the color gradients use a bit pattern that differs greatly from the bit pattern of the background color in the spectrum being monitored. The brightness level and hue do not allow any conclusions to be drawn about the bit coding.
Line filters and harmonic filters help against compromising line-bound interference .

Other options for protection are jammers . Jammers are designed to emit on a frequency (or frequency spectrum) that corresponds to that of the monitor, but with a much higher amplitude . Since the Telecommunications Act stipulates restrictions with regard to the permitted transmission strength, jammers may only be operated to a limited extent and thus allow leeway for eavesdroppers who can try to filter out or calculate the desired signal. In this case it makes sense to correlate jammers with the frequencies emitted by the monitor. This is done by simultaneously feeding the RGB signals that control the monitor to the jammer and modulating it. Alternatively, you can modulate the jammer with a noise signal so that a broadband interference spectrum is created.

Dissemination in the media

Van Eck phreaking has repeatedly been the subject of espionage thrillers, a prominent example is the novel Cryptonomicon by Neal Stephenson .

In the documentary Secret Matter D , the subject within the espionage complex is addressed for about two minutes.

Various Heise-Verlag magazines , including mainly the computer and technology magazine c't , had already taken up the topic several times.

In 2006, Der Spiegel reported on a wiretapping demonstration and the subject of TEMPEST.

The broadcasters MDR (here from 4), Sat1 (17:30) and DMAX (D-Tech) reported in mid-2006 with various reports on a demonstration monitoring setup.

News of the proof of wiretapping of wired keyboards at the ETH Lausanne

The Chaosradio of the Chaos Computer Club themed TEMPEST consecutive CR148

In episode 1 × 11 equal opportunities of the TV series Numbers , a computer screen is monitored using Van Eck phreaking; the process is briefly explained below.

literature

Dieter Görrisch: Jammers - from VHF to microwave . 2nd edition 2006, ISBN 3-7723-4127-6

Web links

The Complete, Unofficial TEMPEST Information Page (PDF; 232 kB)
Tempest for Eliza - Your own radio station using Tempest
Practical demonstration of a "cheap" wiretapping setup by Dr. Markus Kuhn at the GBS stand, Cebit 2006
Markus Kuhn: Compromising emanations: eavesdropping risks of computer displays . dissertation
Markus G. Kuhn: E avesdropping attacks on computer displays . (PDF; 1.01 MB)
Markus G. Kuhn: Electromagnetic Eavesdropping Risks of Flat-Panel Displays . (PDF; 1.82 MB)
Tempest art project, display2radio
Video demonstration of the broadcasting of a Dutch voting machine

Individual evidence

↑ M 4.89 Radiation security . In: IT-Grundschutz Catalogs . BSI . 2013. Accessed May 23, 2017.
^ TEMPEST: a signal problem - The story of the discovery of various compromising radiations from communications and Comsec equipment . (PDF) In: NSA (Ed.): Cryptologic Spectrum . 2, No. 3, 1972. Retrieved May 23, 2017 (partially FOAI declassified September 27, 2007)
↑ Rick Lehtinen, Deborah Russell, GT Gangemi: Computer Security Basics . O'Reilly, 1991, ISBN 978-0-937175-71-2 , Chapter 10: TEMPEST, pp. 253 (last paragraph) .
↑ Görrisch (2006), p. 32f
↑ TEMPEST article at heise online
↑ Hilmar Schmundt: Computer: data theft from the air . In: Der Spiegel . No. 33 , 2006 ( online ).
^ Frank Ziemann: Eavesdropping: Swiss students listen to keyboards . In: PC-Welt , October 21, 2008. Accessed May 23, 2017.
↑ CR148 Tempest: The electromagnetic radiation of devices allows deep insights . In: Chaosradio . July 30, 2009. Retrieved November 26, 2010.

[1] M 4.89 Radiation security . In: IT-Grundschutz Catalogs . BSI . 2013. Accessed May 23, 2017.

[2] TEMPEST: a signal problem - The story of the discovery of various compromising radiations from communications and Comsec equipment . (PDF) In: NSA (Ed.): Cryptologic Spectrum . 2, No. 3, 1972. Retrieved May 23, 2017 (partially FOAI declassified September 27, 2007)

[3] Rick Lehtinen, Deborah Russell, GT Gangemi: Computer Security Basics . O'Reilly, 1991, ISBN 978-0-937175-71-2 , Chapter 10: TEMPEST, pp. 253 (last paragraph) .

[4] Görrisch (2006), p. 32f

[5] TEMPEST article at heise online

[6] Hilmar Schmundt: Computer: data theft from the air . In: Der Spiegel . No. 33 , 2006 ( online ).

[7] Frank Ziemann: Eavesdropping: Swiss students listen to keyboards . In: PC-Welt , October 21, 2008. Accessed May 23, 2017.

[8] CR148 Tempest: The electromagnetic radiation of devices allows deep insights . In: Chaosradio . July 30, 2009. Retrieved November 26, 2010.