Optical Emission Security – Frequently Asked Questions
Markus Kuhn In the paperOptical Time-Domain Eavesdropping Risks of CRT Displays,I describe a new eavesdropping technique that reconstructs text on computer screens from diffusely reflected light. This publication resulted in some wide media attention (BBC, New Scientist,Wired, Reuters, Slashdot). Here are answers to some of the questions I have received, along with some introductory information for interested readers looking for a more highlevel summary than the full paper, which was mainly written for an audience of hardware-security and optoelectronics professionals. Q: How does this new eavesdropping technique work? To understand what is going on, you have to recall how a cathode-ray display works. An electron beam scans across the screen surface at enormous speed (tens of kilometers per second) and targets one pixel after another. It targets this way tens or hundreds of millions of pixels every second to convert electron energy into light. Even though each pixel shows an afterglow for longer than the time the electron beam needs to refresh an entire line of pixels, each pixel is much brighter while the e-beam hits it than during the remaining afterglow. My discovery of this very short initial brightness in the light decay curve of a pixel is what makes this eavesdropping technique work. An image is created on the CRT surface by varying the electron beam intensity for each pixel. The room in which the CRT is located is partially illuminated by the pixels. As a result, the light in the room becomes a measure for the electron beam current. In particular, there is a little invisible ultrafast flash each time the electron beam refreshes a bright pixel that is surrounded by dark pixels on its left and right. So if you measure the brightness of a wall in this room with a very fast photosensor, and feed the result in another monitor that receives the exact same synchronization signals for steering its electron beam, you get to see an image like this: You can already recognize some large characters and lines of text, but the long afterglow of the phosphor still distorts the image significantly. A mathematical signal processing technique known as deconvolution can now be used to undo this blurring to some degree: This magnification shows that even small font sizes become readable: Q: How far away does this work and what is "shot noise"? The amount of noise that a constant light level introduces into a photo sensor is proportional to the square root of the light intensity. This is because light does not arrive as a continuous stream of energy, but in small countable energy packets (photons). The number of photons that arrive during some fixed time interval varies randomly, and this variation is described by what statisticians call Poisson distribution. It is a characteristic of the Poisson distribution that if you expect on average N photons to arrive, then the average difference between N and the actual number of photons that you got will be sqrt(N). This fluctuation is in electronics called shot noise. Shot noise means, that in order to get a signal, the number of photons that you receive per pixel from the CRT must be at least the square root of the number of photos that you get from other light sources such as the sun or light bulbs. As the eavesdropper moves further away, the receiver will be able to capture fewer photons. Even though the ratio between CRT photons and background photons might remain roughly the same, the square root of the number of background photons will grow relative to the CRT photon count with distance, thereby reducing the signal-to-noise ratio. The paper contains the mathematical details for calculating the signal-to-noise ratio at various distances, and in one example calculation in which I used what I hope are practically interesting parameters for background light, and size of the sensor, I ended up with a maximum eavesdropping distance of in the order of 50 meters. It is important to understand, that this figure is just one example calculation result. Changes in the background light, the pixel frequency, the required signal-to-noise ratio, or other parameters will lead to significant different distances. Having said that, I do believe that the outcome of this study can be described as that eavesdropping a computer monitor with common font sizes via light reflected from a wall seems feasible from a building on the other side of a street if the targeted room is only weakly illuminated. Interested readers will find in the paper enough data and information to perform realistic numeric simulations of an eavesdropping attack in a specific situation. Q: What can eavesdroppers do to improve reception? There are a number of techniques, for example some of those mentioned in the paper are:
2002 IEEE Symposium on Security and Privacy, Berkeley, California, May 2002.
- The eavesdropped videosignal is periodic over at least a few seconds, therefore periodic averaging over a few hundred frames can help significantly to reduce the noise.
- If you know exactly what font is used, many of the equalization and symbol detection techniques used in modems or pattern recognition applications can be applied to recover the text (remote optical character recognition).
- Optical filters can eliminate other colours from background light.
- A large sensor aperture (telelens, telescope) can improve the photon count.
- Reception is difficult if not impossible from well-lit rooms, in which CRTs do not make a visible contribution to the ambient illumination. Don't work in the dark.
- No not assume that etched or frosted glass surfaces prevent this technique if there is otherwise a direct line of sight to the screen surface.
- This particular eavesdropping technique is not applicable to LCDs and other flat-panel displays that refresh all pixels in a row simultaneously.
- Make sure, nobody can install eavesdropping equipment within a few hundred meters line-of-sight to your window.
- Use a screen saver that removes confidential information from the monitor in your absence.
created 2002-03-05 – last modified 2004-11-29 – http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html