Thursday, July 30, 2015

Optical Emission Security – Frequently Asked Questions

Markus Kuhn In the paper
Optical Time-Domain Eavesdropping Risks of CRT Displays,
2002 IEEE Symposium on Security and Privacy, Berkeley, California, May 2002.
I describe a new eavesdropping technique that reconstructs text on computer screens from diffusely reflected light. This publication resulted in some wide media attention (BBC, New Scientist,Wired, Reuters, Slashdot). Here are answers to some of the questions I have received, along with some introductory information for interested readers looking for a more highlevel summary than the full paper, which was mainly written for an audience of hardware-security and optoelectronics professionals. Q: How does this new eavesdropping technique work? To understand what is going on, you have to recall how a cathode-ray display works. An electron beam scans across the screen surface at enormous speed (tens of kilometers per second) and targets one pixel after another. It targets this way tens or hundreds of millions of pixels every second to convert electron energy into light. Even though each pixel shows an afterglow for longer than the time the electron beam needs to refresh an entire line of pixels, each pixel is much brighter while the e-beam hits it than during the remaining afterglow. My discovery of this very short initial brightness in the light decay curve of a pixel is what makes this eavesdropping technique work. An image is created on the CRT surface by varying the electron beam intensity for each pixel. The room in which the CRT is located is partially illuminated by the pixels. As a result, the light in the room becomes a measure for the electron beam current. In particular, there is a little invisible ultrafast flash each time the electron beam refreshes a bright pixel that is surrounded by dark pixels on its left and right. So if you measure the brightness of a wall in this room with a very fast photosensor, and feed the result in another monitor that receives the exact same synchronization signals for steering its electron beam, you get to see an image like this: raw rasterized photomultiplier signal You can already recognize some large characters and lines of text, but the long afterglow of the phosphor still distorts the image significantly. A mathematical signal processing technique known as deconvolution can now be used to undo this blurring to some degree: deconvoluted photomultiplier signal This magnification shows that even small font sizes become readable: magnified excerpt Q: How far away does this work and what is "shot noise"? The amount of noise that a constant light level introduces into a photo sensor is proportional to the square root of the light intensity. This is because light does not arrive as a continuous stream of energy, but in small countable energy packets (photons). The number of photons that arrive during some fixed time interval varies randomly, and this variation is described by what statisticians call Poisson distribution. It is a characteristic of the Poisson distribution that if you expect on average N photons to arrive, then the average difference between N and the actual number of photons that you got will be sqrt(N). This fluctuation is in electronics called shot noise. Shot noise means, that in order to get a signal, the number of photons that you receive per pixel from the CRT must be at least the square root of the number of photos that you get from other light sources such as the sun or light bulbs. As the eavesdropper moves further away, the receiver will be able to capture fewer photons. Even though the ratio between CRT photons and background photons might remain roughly the same, the square root of the number of background photons will grow relative to the CRT photon count with distance, thereby reducing the signal-to-noise ratio. The paper contains the mathematical details for calculating the signal-to-noise ratio at various distances, and in one example calculation in which I used what I hope are practically interesting parameters for background light, and size of the sensor, I ended up with a maximum eavesdropping distance of in the order of 50 meters. It is important to understand, that this figure is just one example calculation result. Changes in the background light, the pixel frequency, the required signal-to-noise ratio, or other parameters will lead to significant different distances. Having said that, I do believe that the outcome of this study can be described as that eavesdropping a computer monitor with common font sizes via light reflected from a wall seems feasible from a building on the other side of a street if the targeted room is only weakly illuminated. Interested readers will find in the paper enough data and information to perform realistic numeric simulations of an eavesdropping attack in a specific situation. Q: What can eavesdroppers do to improve reception? There are a number of techniques, for example some of those mentioned in the paper are:
  • The eavesdropped videosignal is periodic over at least a few seconds, therefore periodic averaging over a few hundred frames can help significantly to reduce the noise.
  • If you know exactly what font is used, many of the equalization and symbol detection techniques used in modems or pattern recognition applications can be applied to recover the text (remote optical character recognition).
  • Optical filters can eliminate other colours from background light.
  • A large sensor aperture (telelens, telescope) can improve the photon count.
Q: What can I do to prevent reception? There are a number of techniques, for example some of those mentioned in the paper are:
  • Reception is difficult if not impossible from well-lit rooms, in which CRTs do not make a visible contribution to the ambient illumination. Don't work in the dark.
  • No not assume that etched or frosted glass surfaces prevent this technique if there is otherwise a direct line of sight to the screen surface.
  • This particular eavesdropping technique is not applicable to LCDs and other flat-panel displays that refresh all pixels in a row simultaneously.
  • Make sure, nobody can install eavesdropping equipment within a few hundred meters line-of-sight to your window.
  • Use a screen saver that removes confidential information from the monitor in your absence.
Q: What phosphor types reduce the risk and which monitor brands use them? The vendors of colour computer monitor vendors currently do not provide any useful information about what screen phosphor type is used. The designation "P22" found sometimes in datasheets is mostly meaningless, as it describes any combination of red/green/blue phosphors that fulfill the NTSC TV colour specification. For that reason, I have not yet performed a systematic test of different phosphor types currently on the market. Q: What colour combination is most difficult to eavesdrop? A bright background contributes shot noise. In the monitor I tested, the red phosphor had the by far lowest initial luminosity. It emitted a much smaller part of its stored energy in the first microsecond than did the blue and green phosphors. Normal light bulbs emit more red then blue light. Therefore it might seem prudent to place critical text information into the red channel only, while keeping the other to maximum brightness, leading to colour combinations such as cyan on white or green on yellow. However, such low-contrast text display violates ergonomic standards, therefore I would advise against using this approach. In addition, the light from typical red phosphors is concentrated in a few narrow spectral lines, and therefore might be more easily separated by wavelength from background light. Q: Is this really a serious risk? A radio-frequency technique for video display eavesdropping was first described in the open literature by Wim van Eck in 1985. Even though it generated considerable excitement at the time and NATO governments have invested billions of dollars for countermeasures, not a single case of computer crime based on this technique has been uncovered so far, apart from occasional suspicions in some financial institutions that handle information of very high short-term value. This either means that such compromising emanations attacks are practically not used, or if they are used, then so rarely and well prepared that the eavesdroppers never got caught so far. It is my understanding that some major NATO intelligence agencies still do maintain the capability to perform remote RF video display eavesdropping, but I have no idea on how valueable they find such techniques in practice to gather useful intelligence. Compared to radio frequency emanations, the equipment need for optical eavesdropping is somewhat easier to obtain, because suitable commercial RF wide-band receivers are normally rather expensive and export controlled (though obtaining a second-hand one was not entirely impossible, even for a research student, and there are always numerous ways to modify readily availabl low-cost equipment suitably). Photomultipliers and digital storage oscilloscopes on the other hand are rather common laboratory equipment. The feasible eavesdropping ranges in an urban/suburban environment are very comparable for both techniques. Optical eavesdropping is somewhat more restricted in that for the diffuse reflection case, low background illumination is essential to make it work, but on the other hand it leads usually to much better image quality and works not only for text but also for colour images. I would be surprised if optical CRT eavesdropping finds widespread use. The risk is not entirely unrealistic, but it probably should be of primary concern only to those in charge of high-security facilities that are targeted by intelligence agencies or well-funded industrial espionage teams and that have already invested significant effort to close any other known type of security vulnerability. There might also be specialized applications for TV or software licence enforcement targeted against private and commercial consumers. A compromising emanations eavesdropper has to be extremely patient, because it is necessary to wait until the information of interest is displayed or processed by the system, which is often not easy to predict. In most commercial environments, it is for a determined attacker far more easy to break into a facility, get physical access to the storage media and take or copy it, in order to gain noise-free access to all information at once, or to bribe an employee with access to do the same. Unsurprisingly, breakins where all the burglars were interested in was the harddisk of a company's central file server are being reported regularly. For me, this project was mostly driven by academic curiosity. It was a good excuse to learn a lot about optoelectronics and get a photomultiplier to play with. I hope, not only computer security educators and textbook authors will find this demonstration a valuable example for how surprising and unexpected the nature of hardware-security side channels can be. Q: What about LEDs? For devices with RS-232 serial ports, it is customary to provide a status indicator LED for some of the signal lines (in particular transmit data and receive data). Often, these LEDs are directly connected to the line via just a resistor. As a result, anyone with a line of sight to the LED, some optics and a simple photosensor can see the data stream. Joe Loughry and David A. Umphress have recently announced a detailed study (submitted to ACM Transactions on Information and System Security) in which they tested 39 communications devices with 164 LED indicators, and on 14 of the tested devices they found serial port data in the LED light. Based on their findings, it seems reasonable to conclude that LEDs for RS-232 ports are most likely carrying the data signal today, whereas LEDs on high-speed data links (LANs, harddisk) do not. Even these LEDs are still available as a covert channel for malicious software that actively tries to transmit data optically. I expect that this paper will cause a number of modem manufacturers to add a little pulse stretcher (monostable multivibrator) to the LEDs in the next chip set revision, and that at some facilities with particular security concerns, the relevant LEDs will be removed or covered with black tape. The data traffic on LEDs is not a periodic signal, and therefore, unlike with video signals, periodic averaging cannot be used to improve the signal-to-noise ratio. The shot-noise limit estimation technique that I used to estimate the CRT eavesdropping risk can even more easily (because no deconvolution is needed) also be applied to serial port indicators and allows us to estimate a lower bound for the bit-error rate at a given distance. I have performed a few example calculations and concluded that with a direct line of sight, and a 100 kbit/s signal (typical for an external telephone modem), at 500 m distance it should be no problem to acquire a reliable signal (one wrong bit every 10 megabit), whereas for indirect reflection from the wall of a dark room, a somewhat more noisy signal (at least one wrong bit per 10 kilobit) can be expected to be receivable in a few tens of meters distance. Q: Where can I learn more? My dissertation Compromising emanations: eavesdropping risks of computer displays is currently perhaps the most detailed openly available compendium on electromagnetic eavesdropping techniques for video displays. Pretty good online repositories of material related to compromising emanations have been collected by Joel McNamara and John Young.
created 2002-03-05 – last modified 2004-11-29 – http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html

No comments: