Compromising Emanations

~tqw~ TEMPEST – Compromising Emanations

Robin Lobel

TEMPEST, also known as Van Eck Phreaking, is the art of turning involuntary emissions into compromising data. This mainly concerns electromagnetic waves, but it can also be applied to any kind of unwanted emanations induced by the inner workings of a device. The most common TEMPEST phenomena relate to CRT monitors.

he fi rst studies concerning the phenomenon of compromising electromagnetic What you will learn... T waves occurred in the 1950s. Through spying on encrypted Russian message trans- • you will gain enough knowledge to start building missions, the NSA discovered weak para- your own TEMPEST system. sitic rattlings in the carrying tone, which were emanated by the electricity of the encoding What you should know... machine. By building an appropriate device, it was possible to rebuild the plain text with- • you have to have some intermediate experience out having to decrypt the transmissions. with practical electronics, This phenomenon successively takes the • you should have at least basic knowledge of electromagnetic physics. names NAG1A, then FS222 in the 1960s, NACSIM5100 in the 70s and fi nally TEMPEST (an acronym for Transient Electromagnetic Pulse Emanation Standard, although such a name is also said to be untrue), beginning About the Author in the 1980s. Robin Lobel has conducted several IT research projects for years, including audio compression, In 1985 a Dutch scientist, Wim van Eck, pub- realtime image analysis, realtime 3D engines, etc. lished a report on the experiences that he had He studied the TEMPEST (Transient Electro- had since January 1983 in this fi eld. The report magnetic Pulse Emanation Standard) system

Attack shows that such a system is creatable with lit- thoroughly in 2003 and was lucky enough to be tle means – however, it gives very little detail. In able to use a full laboratory to conduct these ex- 1986 and 1988, complementary reports were periments and succeed. He also enjoys composing published. In 1998, John Young – an American music and doing some 2D/3D artwork. He is cur- citizen – requested the NSA to publish declas- rently studying cinema arts in Paris. His web site: sifi ed information concerning the TEMPEST http://www.divideconcept.net. system. Seeing his request rejected, he ap-

36 www.hakin9.org hakin9 3/2005 ~tqw~ Compromising emanations

Figure 2. A grid of pixels form a picture – the sharpness of the picture Figure 1. Red, green and blue mix depends on the pixel's density together to synthesise any colour uses electricity and that any elec- Acoustic information pealed and fi nally, in 1999, obtained tric potential induces an electro- Basically, the same possibilities as some documents which were largely magnetic fi eld proportional to the with optic emissions. However, the censored. Very little information is potential, we can then deduce back possibilities are less, because most available on this system; the majority the inner electric activity. This can of a computer system is silent and of the documents contain nothing but be applied to CRT display devices only the mechanical parts are sub- superfi cial information without giving and any unprotected cables or ject to acoustic production. There any details of a practical kind. wires. are quite a few applications for this kind of emission. A hardware keylog- So what is it? Optical ghosts ger based on acoustic events may be The principle of TEMPEST and Though being an electromagnetic a good example. its derivatives is to reconstruct wave, light doesn't have the same original data from ghost information. rules offering the same possibili- A ghost is a trace left by an object in its ties. Contrary to electromagnetic A particular study: environment. A defi nition of a ghost? emanations, the lights in a com- CRT monitor A footprint, heat, the smell of cooked puter system have specifi c roles, emanations food and even your own shadow. and are intentionally set to inform One of the most interesting emis- Such information is valuable to detec- the user about the system status. If sions in a computer comes from tives because this is the only basis you take a closer look at LEDs, they the display device, because its inner they have to reconstruct what actually respond to electric potentials too, activity clearly deals with important happened. There are three kinds of so any minimal fl uctuations in the information. Moreover, this device ghosts in the computer domain which system has an effect on LEDs and emits strong electromagnetic waves could help us retrieve data: electro- thus can be perceived with optical that are relatively easy to capture magnetic, optical and acoustic. sensors. However, this can only be and treat. helpful for specifi c events and in par- Electromagnetic emanations ticular conditions. What is more, the The way monitors work The most discreet and informative acquired information might not be of All colours can be broken down trace. Given that every computer great value. into three fundamental colours: red, green and blue (see Figure 1). It is possible – through the combination On the Net of these three colours – to recreate any colour, by varying these • http://upe.acm.jhu.edu/websites/Jon_Grover/page2.htm – a handful of basics on fundamental proportions. An image van Eck phreaking, • http://www.eskimo.com/~joelm/tempest.html – the complete but unoffi cial is considered a complex assem- TEMPEST information page, bly of colours through the use of • http://www.noradcorp.com/2tutor.htm – NoRad company's CRT Monitors as a a pattern of pixels (see Figure 2). Source of Electromagnetic Waves page, A pixel is a point composed of the • http://xtronics.com/kits/rcode.htm – resistor colour codes, three colours: red, green and blue. • http://web.telia.com/~u85920178/begin/opamp00.htm – operational amplifi er It is possible to recreate accurate explanation, images by increasing the density of • http://www.hut.fi /Misc/Electronics/circuits/vga2tv/vga2palntsc.html – Tomi Eng- pixels in a single area. The resolu- dahl's synchronisation signal converter. tion of an image is represented by x*y, with x being the number of pix- hakin9 3/2005 www.hakin9.org 37 ~tqw~ a frequency of 50–100 Hz; as the for a screen having a resolution of electrons pass through the fl uores- 800*600 with a refresh rate of 70 Hz, cent layer, it emits a light. This layer the changes of voltage can reach also becomes phosphorescent in a frequency of 800*600*70=34 that it continues to emit a light after MHz, that is to say 34,000,000 times its initial stimulation for approximate- a second). ly 10 to 20 ms. Its brightness is determined by the debit of electrons, which Inductance phenomena is regulated by a Wehnelt (electronic Any difference of potential (that component). The beam then passes is, when an amount of electrical Figure 3. A beam of electrons through two bobbins (one to deter- tension gets higher or lower) in an produce the actual picture on the mine the vertical deviation, the other electrically conductive material screen, by exciting a phosphore- for the horizontal deviation, using produces an electromagnetic wave scent layer from left to right and top electromagnetic forces) to direct proportional to the potential: this is to bottom its trajectory, so that it scans the called inductance phenomena (see whole screen and can reconstruct Figure 4). This process involves a complete picture (see Figure 3). Maxwell equations, which describe The video signal passes through electromagnetic waves' behaviour. several channels (6 channels for However, it's not necessary to under- the video signal itself). Meaning, stand all the mathematical and the Red, Green and Blue channels physical rules behind this in order to as well as their respective masses; exploit the phenomena. 2 synchronisation channels for the The invert phenomena is also horizontal and vertical scanning and true: any electromagnetic wave the communal mass of synchronisa- meeting an electrically conductive tion signals. material will produce a difference of The synchronisation signals, potential proportional to the strength which indicate the passage to the of the wave. This is basically how LW following line or the return of the radio receptors works: the stronger Figure 4. A difference of potential beam to the beginning of the screen, the wave, the stronger the signal in a conductive cable generates an are simple differences of potentials received. electromagnetic wave of a few volts. They take place (for For an electromagnetic fi eld to be a screen of a resolution of 800*600 created, there must be differences of els horizontally and y the number of pixels with 70 Hz refresh) 70 times potentials: a constant voltage won't pixels vertically (examples: 640*480, a second for the vertical synchroni- produce any radio waves. In the 800*600, 1024*768, etc.) sation signals, and 600*70=42,000 same way, no signal can be received A monitor screen is composed of times a second for the horizontal if the magnetic fi eld is static (that's several modules. The fi rst one, the synchronisation signals. why dynamos need to be constantly cathode tube, is what reproduces Video signals are at a voltage in motion to produce electricity). the actual image. An electron beam of 0 V to 0.7 V, which defi nes the scans a fl uorescent layer at an brightness (the higher the voltage, Application to CRT monitors extremely high speed thereby creat- the brighter the pixel) at the point Before being projected in the form ing the image. The scanning goes where the scanning takes place of an electron beam, the video across the entire screen from left (this voltage is thus able to vary for signal is amplifi ed to a high voltage. to right and from top to bottom at each new pixel of a different colour; This amplifi cation generates strong Attack

Figure 5. Example screen and its corresponding electrical coding and electromagnetic inducement

38 www.hakin9.org hakin9 3/2005 ~tqw~ Compromising emanations

towards the display device; it's highly is equivalent to 10-9 Farad) and sensitive and directional; that is, it a resistor of 100 Ω (100 Ohms). can capture even very low emissions This leads us to 10-9*102=10-7, so from a specifi c point in space. we got our product, and the system The antenna will capture a highly is set to a critical frequency of 1.6 parasitised signal. This noise is due MHz. Of course, you can use any to the electromagnetic pollution of other combination of resistors and the environment (miscellaneous ra- capacitors – the main thing is to keep dio emissions). Fortunately, monitors the product constant. emit in a restricted band of high fre- Figure 6. A model of a parabolic quencies, which permits us to recover Amplifi cation antenna the signal using a fi lter. The fi ltered signal has a very low potential (a few mV). In order to ex- electromagnetic waves, which, if Filtering ploit the signal, we have to amplify the monitor is not protected enough To recover the signal, we need to it (that is multiplying the voltage by electromagnetically, can be captured fi lter all frequencies inferior to the a constant factor) to an acceptable without any physical contact using frequency of a single pixel (this also level. As seen before, video signals an antenna from up to a distance of eliminates the wave generated by the are comprised between 0 V and 0.7 V. a hundred metres. The strength of synchronisation signal, which makes To achieve this, we'll use an opera- the wave is proportional to the con- it hard to recover the beginning of tional amplifi er (OA, see also Frame trast between two consecutive pixels. a line). Actually, to acquire better On the Web), which is an electronic Of course, as the three colour com- results, it's a good idea to leave component that can be bought for ponents are treated simultaneously a margin and set the fi ltering frequen- around 10 Euros. Since we're treating and only one global electromagnetic cy slightly inferior to the frequency of high frequencies (MHz), we should wave is emitted (to be more specifi c, a single pixel. carefully choose this operational electromagnetic waves mix into one For a screen of resolution amplifi er: common OAs cannot han- when being emitted), we cannot sep- 800*600 with a refresh rate of 70 dle such frequencies. So, when at arate retrieving colour information. Hz, the critical frequency would be the shop, one should ask for a video 800*600*70=33.6 MHz. operational amplifi er. Model AD844AN Setting up A high pass fi lter is composed of is an example but, however, it may not a TEMPEST system a resistor and a capacitor, assem- be available in every country. We An example screen and its corre- bled as in Figure 7: should look in the catalogues of differ- sponding electrical coding and electro- ent electronic manufacturers. magnetic inducement can be found • C1 – the capacitor, An OA has many applications, in Figure 5. On the left, one can see • R1 – the resistor, but we just want it to amplify our a gradient scale displayed on a moni- • Ue, Us – input and output respec- signal for now. To do so, let's refer tor screen. The central picture shows tively, to the circuit shown in Figure 8. It is the same video signal as analysed by • Y1 stands for the resulting signal. comprised of an OA and 2 resistors: an oscilloscope. Finally, the right picture shows the corresponding electri- The critical frequency of this system • R2, R3 – resistors, cal emanations (proportional to the is determined by fc=1/(2*π*R*C), • OA – operational amplifi er, differences of potentials). A vertical with fc for critical frequency (frequen- • V+, V- – OA powering, pattern has been used for clarity (all cy below which the fi lter will cut any • Ue, Us – input and output, lines are coded in the same way). This signal), R for the resistance's value • Y1 – resulting signal. pattern is meant to make us under- and C for the capacitor's value. stand what kind of signal we're about We could set the system to, let's to handle. Now, let's start the practical say, a frequency of 1.6 MHz (so that part of our detective game. all frequencies inferior to 1.6 MHz are eliminated), which leads us to The antenna 1.6*106=1/(2*π*R*C). This results in An antenna can be a simple conduc- R*C=1/(2*π*1.6*106)=10-7. tive cable; this will be enough if we This frequency has been chosen want to experiment with the system because it left a good margin, and just two or three metres away from capacitors and resistors for this fre- the monitor. For larger distances, quency are easy to fi nd. To achieve one should use a parabolic antenna this product, we could choose a capa- (Figure 6), which should be pointed citor of 1 nF (1 nano Farad, which Figure 7. A High Pass Filter scheme hakin9 3/2005 www.hakin9.org 39 ~tqw~ as computers will (to certain extents, of course). For computer screen connectivity, this refers to the scheme of the SUB-D HD connector (Figure 10). For TV screens, this refers to the scheme for connectivity (SCART) as shown in Figure 11:

• 5 – blue mass, • 7 – blue, • 9 – green mass, Figure 8. Operational Amplifi er: an inverter assembly • 11 – green, It is called an inverter and is one lution 800*600 with a refresh rate • 13 – red mass, of the simplest amplifi er circuits of 70 Hz, 70 impulses per second • 15 – red. to build (but see also the Frame should be generated for the fi rst Things to Remember When Ampli- channel, and 600*70=42,000 im- However, converting synchronisa- fying the Signal). The value of the pulses per second should be gener- tion signals is pretty diffi cult. For- two resistors will determine the ated for the second channel. tunately, in 1996, Tomi Engdahl amplifi cation coeffi cient by using If we don't have any frequency designed a circuit which converts the following formula: k = -R3/R2. generators, then we can use a sim- the VGA standard to TV standards. To amplify a hundred times, we ple trick: deriving synchronisation His concept is reproduced here in can, for example, choose R2=1 Ω channels from the video-out port Figure 12. and R3=100 Ω. of a computer (see Figure 10). One As can be seen, it's slightly easi- only has to set this computer to the er if we have a computer screen. But Cutting negative components desired resolution and the refresh we must remember to still be vigilant! This is the easiest part: it just rate as before (in our example, one These machines are extremely sen- consists of adding a diode in order would set it to 800*600, 70 Hz). sitive. Also, having an oscilloscope to to cut the negative potential of our To connect the test screen to this control while manipulating is a plus. signal (because your display device video-out port, we can hack an old That's almost all (see Frame will have some diffi culties reproduc- video cable or buy a SUB-D 15/HD Assembling the System for details on ing negative colours). The scheme is 15 connector (also known as a VGA construction). shown in Figure 9. 15-pin connector). Let's take a look at the picture and Restoring the display corresponding signals: Things to Remember There are two more things to get the When Amplifying the system working – solving these prob- • 1 – red, lems depends on the hardware used. • 2 – green, Signal We should bear a few things in mind. At The fi nal step includes synchronisa- • 3 – blue, fi rst, it is a good idea to choose a vari- tion signals and the display device • 6 – red mass, able resistor R3, so that we can choose we should use. • 7 – green mass, the coeffi cient even when the circuit is • 8 – blue mass, assembled. What's more important, the Synchronisation signals • 11 – mass, OA needs to be powered! This is some- These signals can be generated • 13 – horizontal sync, thing to look carefully at when choosing using frequency generators. The • 14 – vertical sync. an OA, as they don't have the same main thing is to generate a pulse needs in terms of power. Generally, of a few volts for vertical synchro- Remember: we should be very vigi- it's around 12 V or 15 V. One also has nisation (all screens), and another lant while working on the video-out to be sure to know how to connect an OA before assembly. Different docu- for horizontal synchronisation (all port. Any errors could be fatal to the ments are available on the Internet on lines). That is, for a screen of reso- video card. this subject (see Frame On the Net).

Attack And last, but not least, this circuit is Display device called an inverter because it inverts For displaying the compromised data the output (that's why k is negative). we can use either a TV or a computer With electromagnetic waves this is not screen, although a computer screen a problem, since each signal possess- Figure 9. A diode, as represented in is preferred. Television devices just es a negative and a positive part. electronic circuits won't support all resolutions, where-

40 www.hakin9.org hakin9 3/2005 ~tqw~ Compromising emanations

Figure 10. SUB-D HD Connector To summarize, the whole home- Figure 11. SCART – Peritel connectivity scheme brew TEMPEST system can be seen • OA – operational amplifi er, Well, but does it work? in Figure 14. To make it clearer: • V+/V- – OA powering, We have learned how to build • 1,2,3 – colours channels, a TEMPEST system – one should • A – antenna, • 4,5 – synchronisation channels, be able to start constructing • C1 – capacitor, • Sync – synchronisation impulses one's own EM waves intercepting • R1,R2,R3 – resistors, generators. device. However, let's not expect it

Figure 12. Tomi Engdahl's synchronisation convertor circuit hakin9 3/2005 www.hakin9.org 41 ~tqw~ Assembling the System

Our electronic circuit is composed of 4 stages (see also Figure 14): • an antenna (A) which will receive the signal, • a high pass fi lter (C1,R1) to cut frequencies below the critical frequency we defi ned, • an amplifi er (OA,R2,R3,V+/V-) that amplifi es the fi ltered signal so that it can be seen on a standard CRT display, • a diode to cut negative parts (that cannot be used by a standard screen) and fi nally output to get the video signal on the screen.

In parallel, there are incoming synchronisation signals. They can be generated by two low frequency generators or directly from a video card. To get the output onto a standard TV screen, Tomi Engdahl's synchronisation signal converter circuit can be used. It is shown in Figure 12. Since we don't really need this device, an optional description is available at http://www.hut.fi /Misc/Electronics/ circuits/vga2tv/vga2palntsc.html. The Components Practically, you can use a veroboard (Figure 13; 1) to build the circuit. It is a board with a grid of holes linked by copper tracks on every row; that way you don't need to build your own printed circuit – it's all ready-made. This kind of board is available in any electronic shop. A resistor and a diode are shown in Figure 13 (2, 3 respectively). As for capacitors, there are several kinds available, but one shouldn't worry – they all work the same way (Figure 13; 4, 5, 6). Finally, the operational amplifi er (Figure 13; 7) is necessary – right now we don't need to explain any further about it, but you can refer to Harry Lythall's webpage for details (http://web.telia.com/~u85920178/begin/opamp00.htm). All these components are available for a few Euros each. The Assembly To assemble the whole circuit, you'll need a soldering iron (even a cheap one will be okay) and a tin of lead wire to solder the electronic components to the veroboard. Insert each electronic component from the back of the veroboard (that is, the side Figure 13. Parts used in TEMPEST with no copper tracks) so that the pins appear on the other side. Then, apply the tin circuit assembly: 1 – a veroboard; on the copper track with the soldering iron – a drop of tin should weld the pin to the 2 – a resistor; 3 – a diode; 4, 5, copper track. 6 – capacitors; 7 – operational Use the copper tracks as you feel, the main thing is to respect the connections as amplifi er shown on the TEMPEST's circuit scheme (Figure 14). You can link two copper tracks by welding a short electric cable from one copper track to another. to work the fi rst time when we test it. This is a very delicate system that needs to be fi nely tuned in order to function properly; it would be very useful to have an oscilloscope during the tests. Also, this is highly dependant on the environment and the way you use it. CRT monitors' electromagnetic emanations vary from one screen to another, so even with a tuned system results will vary too. Our solution results in a really home-

Attack brew device – relatively cheap and rather simplistic. Factory made TEMPEST systems are very expen- sive and really diffi cult to purchase, not to mention the fact that this kind of information was classifi ed for a long time. n Figure 14. Robin Lobel's TEMPEST system

42 www.hakin9.org hakin9 3/2005 ~tqw~