Re: Laptop TEMPEST (fwd)
Forwarded message:
Subject: Re: Laptop TEMPEST Date: Mon, 09 Feb 1998 17:07:23 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
Jim Choate wrote on 1998-02-09 06:57 UTC:
Doesn't the FCC have to test the RF emissions of all laptops as well as monitors for sale as Class A and Class B in the US? Shouldn't that material be available? I searched the main site, www.fcc.gov, but didn't find anything regarding this.
I suspect that FCC material is not helpful with regard to Tempest.
As to calculating a realistic estimate of range to intercept, I disagree strongly.
Results of such EMI tests only measure the general power spectrum emitted by a device. Of interest for Tempest purposes however is not the power spectrum, but the spectrum of the cross-correlation
I am aware of how to do Tempest in practice as well as in theory. The process goes something like this. The first target is the vertical retrace. This signal is usualy the strongest because the voltage required (and hence the dv/dt) is the largest to sling that e-beam from the lower right to the upper left. It usualy resides in the 50-70Hz range. The next target is the horizontal retrace. It slews the beam from the right edge of the display to the left in order to start another trace. You can use this signal to syn both the vertical retrace steps (in order to move the beam down verticaly to start another trace) as well as the ramp that is required to slew the beam across the screen to write the pixes. Once these 4 signals are aquired and fed to the appropriate control terminals of a CRT you are ready to begin decoding the actual trace data for each line of the display. This is the hardest since the actual modulation of the e-beam is done via a screen grid (who said tube theory was out of date?) and that signal is quite small and generaly has a cardoid emission pattern aligned axialy along the central axis of the CRT tube. So if given a choise you want your antenna to be behind the viewer in line with the display. It is of some import to note that larger displays are easier to aquire usable signals from since the distances the e-beam is slewed and as a result the control voltages are much larger. ____________________________________________________________________ | | | The most powerful passion in life is not love or hate, | | but the desire to edit somebody elses words. | | | | Sign in Ed Barsis' office | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|
Jim Choate wrote on 1998-02-09 17:35 UTC:
This is the hardest since the actual modulation of the e-beam is done via a screen grid (who said tube theory was out of date?) and that signal is quite small and generaly has a cardoid emission pattern aligned axialy along the central axis of the CRT tube.
Things are somewhat more complicated and I am not convinced that the e-beam is the primary source of radiation. Your claim that the Tempest radiation is modulated by the screen grid does not agree with my practical experience: All signals I get are close to harmonics of the dot clock and not of the screen grid rate. In addition, the Tempest monitor cannot distinguish between an all-black and an all-white image, which it should in the case of a screen-grid caused modulation. If there is indeed a screen-grid modulation, then it is *much* weaker than any modulation that you get by software dithering. Monitors are pretty strange antennas: For instance, my monitor still radiates quite well (although noticeably weaker) if I switch its power supply off. Just the passive resonance of the chassis gives a clear signal in around a meter radius with a simple untuned dipole antenna. Switching off a monitor alone does not protect you from eavesdropping a VDU signal, especially if the signal is not just text but a pattern optimized for reception. After I unplug the VGA cable however, I can't pick up any signal with our Tempest receiver unless I bring the antenna almost in contact with the cable or connector. The closed PC chassis also appears to be no very big source of VDU emanations, certainly much below the levels that our receiver can detect. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/>
participants (2)
-
Jim Choate -
Markus Kuhn