In 1985, Dutch computer researcher Wim van Eck authored a paper on EMR eavesdropping effective against CRT monitors. What are the implications for computer security?
If you think worrying about RFID chips in your wallet is the height of security paranoia, you have a lot to learn. Remember: the fact you're paranoid doesn't mean they aren't out to get you.
Van Eck Phreaking
Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?, written by Wim van Eck, introduced us to the idea of violating information security by "listening in" on the electromagnetic radiation emitted by a CRT computer monitor in 1985:
It is well known that electronic equipment produces electromagnetic fields which may cause interference to radio and television reception. The phenomena underlying this have been thoroughly studied over the past few decades. [. . .] However, interference is not the only problem caused by electromagnetic radiation. It is possible in some cases to obtain information on the signals used inside the equipment when the radiation is picked up and the received signals are decoded. Especially in the case of digital equipment this possibility constitutes a problem, because remote reconstruction of signals inside the equipment may enable reconstruction of the data the equipment is processing
Oscillating electric currents within your monitor produce radio frequency electromagnetic radiation (EMR) that correlate to what the monitor displays. In cooperation with the BBC in February 1985, van Eck was able to confirm through experimental proof of concept that this form of electronic eavesdropping is possible from distances of up to several hundred meters.
While such danger to information security was already known at the time of van Eck's paper, it was generally believed that such eavesdropping was prohibitively difficult for amateurs — meaning, for the most part, non-military personnel — and would require extremely expensive, specialized, restricted equipment. Wim van Eck's research showed that it can be accomplished with nothing that isn't readily available on the open market — that, in fact, "In the case of eavesdropping on a video display unit, this can be a normal TV broadcast receiver."
The techniques he pioneered have come to be known as "van Eck phreaking", in reference to his name and the venerable techniques of telephone system hacking.
Since that time, van Eck phreaking has been referenced in fiction (such as Neal Stephenson's novel Cryptonomicon — mentioned in 5 good security reads — and episodes of both Numb3rs and Alias), adjusted to use with LCDs in 2004 using equipment that cost under $2000 US (see Electromagnetic Eavesdropping Risks of Flat-Panel Displays), and addressed by the US Government's TEMPEST standards.
There are a few ways one could protect oneself from this kind of data security threat, but for most people, such measures are highly impractical. A few examples are:
- Cryptographic Display: Pseudorandom image resolution on the screen could conceivably result in an external, eavesdropping receiver getting garbled data. By using a cryptographic algorithm to control periodic variation in this pseudorandom resolution ordering, one could effectively protect a system from all but the most resource intensive brute force attempts to acquire useful data by van Eck phreaking techniques.
- Electromagnetic Jamming: If you produce interfering electromagnetic radiation in the vicinity of your work, you may decrease the signal to noise ratio sufficiently that no usable information may be gained through van Eck phreaking techniques. This would be, in the obvious case, the radio frequency equivalent of using a white noise generator to mask a private conversation from listening devices such as directional microphones and "bugs".
- Faraday Cage: You could always surround yourself with an unbroken, three-dimensional perimeter of conductive material that prevents the escape of compromising emanations. You would, in effect, have to do all your work inside a large metal box with no spaces in the metal big enough for a radio frequency wave to escape.
- Software Jamming: While software cannot (easily) affect the emanations produced by a display device, such as a CRT or LCD monitor, there are other potential sources of compromising emanations. For instance, Swiss researchers have recently developed a proof-of-concept for eavesdropping on PS/2 and USB keyboards. The entire set of circuits in a computer, in fact, can produce various types of compromising emanations. Measures such as constantly running meaningless background processes that bear a striking resemblance to the kind of computer activity you want to hide from eavesdroppers can decrease the signal to noise ratio of data gathered by eavesdropping to effectively useless levels.
- TEMPEST Hardening: Slow-switching digital components, shielded electronics, minimized radiating areas in circuit loops, and non-emanating circuit technologies are just a few possibilities for reducing a system's radiation "footprint" that may be incorporated into the system's hardware itself.
Software developed for use with Tinfoil Hat Linux and available under the BSD license generates cryptographic system "noise" that can obscure your actual cryptographic activities on the system. The process involves nothing more than constantly running a copy of GnuPG in the background, generating cryptographic keys and encrypting random documents. Any actual, meaningful use of GnuPG should simply disappear into the background noise for an eavesdropper, and other cryptographic activity my be masked to a lesser extent as well — depending on the sophistication of the eavesdropper's techniques.
On Tinfoil Hat Linux, this countermeasure is activated by using "Paranoid" options. The software is available under the terms of a copyfree license and simple enough in design that it can be easily used on other systems than THL, such as your favorite BSD Unix system or Linux distribution.
The US Government claims TEMPEST is officially not an acronym, though a number of backronyms have been suggested, including "Transmitted Electro-Magnetic Pulse / Energy Standards and Testing" and the whimsical "Tiny ElectroMagnetic Particles Emitting Secret Things". TEMPEST standards go far beyond van Eck phreaking countermeasures, covering the entire broad range of "emanations security", or EMSEC, technologies.
Thanks to the NSA's TEMPEST Certification Program, there are vendors of TEMPEST hardened computers. Unfortunately for us, such computers tend to be prohibitively expensive — you basically need to have a specific use for a TEMPEST hardened system to bother spending the money on one (or perhaps more money than you know what to do with) to make it worth your while, rather than simply a general interest in security.
This may become a real problem in the future, particularly in specific, targeted instances of industrial espionage. For the general public, however, the risk is significantly reduced; it's just too little reward for the effort, because even at an effective distance of several hundred meters van Eck phreaking techniques require more time, attention, and money per potential target than automated techniques that can be employed over the Internet. There's always the possibility that some inquisitive electronics hobbyist will move in next door and start playing with RF eavesdropping, however.
Eventually, the specific dangers of CRT and LCD compromising emanations will be mitigated or even eliminated, thanks to the rapid advance of technology. Unfortunately, the principles behind van Eck phreaking — unauthorized acquisition of data via incidental radiation — will probably continue to be a problem for a long time to come.
Just about the time when we have finally, decisively solved the problem of van Eck phreaking for computers, someone will have developed a similar, easy way to eavesdrop on our thoughts by recording and interpreting the magnetic field generated by an active brain. Wim van Eck's legacy will remain with us.