Tim May wrote:

At 9:19 PM -0800 2/8/98, Ryan Lackey wrote:

...

I'm a bit busy until at least after FC '98, or I'd do it myself. One of my goals is to keep my laptop as secure as possible, and that's an application where TEMPEST shielding is rather prohibitive.

Really? You think so? You think TEMPEST treatment of laptops is more expensive than of normal machines?

I think it is more difficult to have a lightweight, portable, non-maintenance intensive solution for tempest protecting a portable than for a big desktop box. A desktop box doesn't care how much it weighs. It can even be put inside a TEMPEST rack (I saw someone selling these at a convention once; I wanted one, but didn't have any way to to ship it back to Boston. Sigh), or just TEMPEST protect the entire room. One of the problems with TEMPEST protection is that the gaskets/etc. get worn. Or some stupid fsck paints the exposed copper in the doorway. Or whatever. I don't think requiring that the thing be portable, lightweight, etc. is going to make it any less likely to be damaged. If the TEMPEST protection is damaged, it's not as if a warning LED will come on -- TEMPEST monitoring equipment is *way* too heavy to build into a laptop, so it will fail silently.

The physics suggests just the opposite: the RF emissions from laptops are expected to be lower from first principles, and, I have heard, are measurably much lower. (I say "have heard" because I don't have any access to RF measurement equipment...I once spent many hours a day working inside a Faraday cage, but that was many years ago.)

Certainly the traces are shorter, there are no big antennas (read: cables) connecting parts, etc. The power levels are power. There aren't any power cords if you're on battery. However, a lot of them have plastic cases and generally piss-poor shielding of any kind, too.

The first principles part is that the deflection yokes in a CRT are the largest radiated component of what got named "van Eck radiation." (I'd just call it RF, but whatever.)

Laptops are missing this component. (It might be interesting to see the radiated RF numbers for various kinds of flat panel displays.)

According to the Anderson paper, certain kinds of LCD-TFT have *easier to monitor* emissions than monitors. I have no idea which is the case, but I'm willing to err on the side of paranoia. I should scrounge up some TEMPEST monitoring equipment around MIT somewhere and test it, though.

The emission from the keyboard would have to be looked at, of course.

It's an integrated component, no keyboard wire, so it's much less likely to lose.

Also, laptops, being so small, are easy to shield with mesh bags. An inelegant approach would be to bend copper sheeting to form an enclosure. A more elegant approach might be to take one of the tight-fitting laptop cases (like the Silicon Sports "Wetsuit") and use it as a pattern for a case made of conductive mesh fabric...or even something like aluminum screen. Several layers would be even better.

You need to worry about the mesh bag corrding/breaking/etc. But yeah, this is a decent technique. I wonder how small the mesh has to be to attenuate 30-40db of signal in the relevant frequencies, and if that makes it hard to see/type through. I should figure out what frequencies are involved.

But before going this route, I'd want to see some measurements. Laptops might already be "quiet enough." (Measurements are needed to determine the effectiveness of any proposed RF shielding anyway, so....)

The paper pretty clearly says laptop LCDs are not sufficiently quiet. Until I read this, I was under the impression they were; perhaps passive matrix screens are and active are not. (actually, I can totally understand that wrt the pulse modulation not present in modern crts)

Finally, for a number of years there have been proposals for viewing screens built into glasses or goggles. "Crystal Eyes" was one of them. Another was a replacement for standard EGA screens (this was 4-6 years ago). These were being announced during the period when virtual reality (VR) was expected to dominate...that hasn't happened, yet.

With some of these glasses, gargoyle-style, one could completely encase the laptop in a shielded case (like a Zero Haliburton) and then use a palm keypad...

I used to work in the MIT Media Lab's wearables project -- we used this kind of approach. Something called a "twiddler" chording keyboard (unshielded; my advisor fled the country before I could get a shielded one set up), attached to a "private eye" monocular display; some odd resolution, again unshielded. Attached to a standard portable PC, a belt mounted PC, or whatever. I was going to put together a TEMPEST resistant wearable at some point. In addition, a mesh cloak; we'd been doing some privacy stuff, and discovered that there were penetrating cameras in use by some surveilance companies/etc. for anti-shoplifting/etc. -- it would be nice to shield against them. It never happened, oh well. I had a real bitch of a time finding open source TEMPEST information, which is part of why the idea was back-burnered. I think there is a concerted effort on the part of the government to prevent open source discussion of the topic, through manipulation of research money, etc. Most of my information was general purpose EE stuff and some EMP-shielding information, so perhaps I'm inclined to overkill (when dealing with EMP, you have to worry about 3 second duration *changes* in the field, so your faraday cage needs to be of uniform materials, joints need to be the same as the material, etc. In the absence of material to suggest otherwise, I think the same criteria apply to serious TEMPEST shielding, in the 85db+ range. There is some speculation that the SECRET TEMPEST specs are not sufficient to resist some modern SIGINT technology, and that there exist unknown standards for real protection for some applications. Perhaps this is unjustified paranoia).

Speaking of this sort of approach, a lower-tech version might be to use a palmtop, like the HP 95LX, as a remote terminal to a machine completely shielded. (The laptop could be in a shielded enclosure, or backpack, with the 95LX snaked to it with cables.) Given the battery operation, the long battery life (which says radiated RF is likely to be under control), the LCD display, etc., this should be pretty good against eavesdroppers.

Even a passive component has a resonant frequency; if you're attacking, you may know it and can take advantage of this (hinted at in the paper). I don't think the palmtop being low power necessarily makes it immune, although I'd bet it's a bit better off than a laptop.

I haven't yet looked at the Ross Anderson paper, but some things bother me about it. It seems unlikely that a "TEMPEST font" will affect keyboard and main CPU board noise. Also, in a multiple window environment, with several active windows, and with the target window being of varying sizes, I'm not quite sure I buy the idea that a remote sensing of the content of one window is very easy to pull off.

But I'll take a look at what Ross has to say.

--Tim May

I think the real solution is just what Ross said -- software + hardware. With the right font and X server frobbery, you can get *better* net image/text quality with TEMPEST protection and anti-aliasing than with neither. And it's a great safety net in case your hardware protection is compromised. Once the current project which by now is becoming rather tired of being brought up in passing rather than in a real comprehensive form is on its way, I'm going to look at the TEMPEST wearable, maybe with a verified cryptographic hardware implementation for the important stuff. An interim solution of a nice greyscale antialiased font in a java window serving as a console, even if only for things like the pgp xterm, would be a nice interim solution. Especially since it should only take a few hours to do, if someone has some font manipulation tools. I was originally thinking of modifying the text mode console drivers, but they use DOS text mode, which can't deal with greyscale. The solution is to use SVGAlib, GGI, or an X application. A really cool solution would be to make the X server itself do this to everything on the screen. XFree86 is way too nasty a codebase for me to modify in my spare time, though. I think Linux-GGI is the proper way to do it.

Just Say No to "Big Brother Inside" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^3,021,377 | black markets, collapse of governments.

-- Ryan Lackey rdl@mit.edu http://mit.edu/rdl/

Tim May wrote on 1998-02-09 06:14 UTC:

The physics suggests just the opposite: the RF emissions from laptops are expected to be lower from first principles, and, I have heard, are measurably much lower. (I say "have heard" because I don't have any access to RF measurement equipment...I once spent many hours a day working inside a Faraday cage, but that was many years ago.)

The first principles part is that the deflection yokes in a CRT are the largest radiated component of what got named "van Eck radiation." (I'd just call it RF, but whatever.)

You have to differentiate between information carrying emanations and non-information carrying ones. The horizontal and vertical deflection coils produce a lot of radiation at harmonics of the line and frame rate of your CRT, but this signal energy is not related to your screen content (only to your video mode), and therefore not of much concern for the eavesdropper. The low-radion monitor standards look only at those signal (<400 kHz). Therefore having a TCO92 monitor provides you absolutely no advantage with respect to eavesdropping. The information carrying signals of VDUs are in much higher frequency ranges in the VHF/UHF bands. Laptops are pretty good broadcasters there, too. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/>