Re: TEMPEST (fwd)
Forwarded message:
Subject: Re: TEMPEST Date: Tue, 10 Feb 1998 01:45:26 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
If your getting your signal off the harmonics you're doing it the hard way. Go back and re-read your texts on Fourier Transforms and then do a power-spectrum analysis on the signals to the tube; what you will find is that the primary frequencies get the majority of the signal (eg 1st harmonic of a square wave (ie a dot clock) only gets, at best, 1/3 of the energy of the primary).
But this is not necessarily, where the the monitor resonates nicely. Van Eck has reported very similar results in his paper: His VDU had a dot clock of 11 MHz and he got nice resonance peaks near 125 and 210 MHz.
11MHz base frequency won't produce a clean ring at 125MHz or 210MHz, they're not a whole number multiple of the base. How is this accounted for? What did he calculate the Q at? At what range was he picking up these harmonics as well as the base? The lower harmonic implies a 4MHz beat and the higher a 1MHz beat, how did he account for these signals? Personaly I would be more inclined to suspect the information was riding on the beats. He didn't happen to measure the frequencies to 3 decimal places did he? Since the components are most likely 20%, 10% at best. This would indicate that his base clock was slewing from around 10MHz to around 12MHz, this would explain the 1MHz and 4MHz beats anyway; sub-harmonics due to excessive slew-rate. If he was seeing ringing it had to be very low power because such off-integer resonances only occur in low-Q tuned circuits and that implies a very quick decay constant because the majority of energy is being dissipated in heat. So, in effect, Van Eck is claiming that the propogation attenuation of the 125 and 210 harmonics is lower than for the fundamental frequencies in a low-Q tuned circuit? Or is he claiming the emitted energy of the harmonics was higher than the base drive signal?
If you have only a van Eck style receiver, yes. But as soon as you record the reception over some time and observe the images phases to drift only slightly against each other, you might be able to separate them using similar processing techniques as used in computer tomography.
As I alluded to with the comment I made about integrating the received signals. The easiest way to do this sort of stuff with a small budget is with a flying capacitor integrator. ____________________________________________________________________ | | | The most powerful passion in life is not love or hate, | | but the desire to edit somebody elses words. | | | | Sign in Ed Barsis' office | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|
Jim Choate wrote on 1998-02-10 03:40 UTC:
11MHz base frequency won't produce a clean ring at 125MHz or 210MHz, they're not a whole number multiple of the base. How is this accounted for? What did he calculate the Q at? At what range was he picking up these harmonics as well as the base? The lower harmonic implies a 4MHz beat and the higher a 1MHz beat, how did he account for these signals? Personaly I would be more inclined to suspect the information was riding on the beats. He didn't happen to measure the frequencies to 3 decimal places did he?
You might want to consider to read van Ecks paper yourself: Wim van Eck: Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? Computers & Security 4 (1985) 269--286 If you don't have C&S in your library, you might also find a scan on <http://www.eskimo.com/~joelm/tempest.html>
If you have only a van Eck style receiver, yes. But as soon as you record the reception over some time and observe the images phases to drift only slightly against each other, you might be able to separate them using similar processing techniques as used in computer tomography.
As I alluded to with the comment I made about integrating the received signals. The easiest way to do this sort of stuff with a small budget is with a flying capacitor integrator.
Please explain! I was more thinking in terms of digitizing everything and solving large per-pixel systems of equations to separate the drifting images, which does not sound much like something equivalent to a single hardware integrator, but more like something that keeps a workstation very busy for a few minutes. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/>
participants (2)
-
Jim Choate -
Markus Kuhn