Laptops And Flat Panels Now Vulnerable to Van Eck Methods

An anonymous reader writes "Using radio to eavesdrop on CRTs has been around since the 80s, but Cambridge University researchers have now shown that laptops and flat-panel displays are vulnerable too. Using basic radio equipment and an FPGA board totaling less than $2,000 it was possible for researchers to read text from a laptop three offices away. 'Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximize the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.'"

Bad story submission title

[drinkypoo]

The title given to this story on slashdot is awful, especially for a geek news site. Haven't we already established that obscurity is not security? And about a million times over?

An unpublished vulnerability is no less real than one that has been announced, and is in fact more dangerous because the lack of an announcement leads to a false feeling of security. The real story is that your laptop has in fact been vulnerable to van eck phreaking for years and year, not just "now".

It's a good thing I haven't had faith in slashdot for a long time now, or I'd be really disappointed. As it is, I'm just pointing this out for those who didn't already notice.

van Eck only made it public

[michaelmalak]

Russia and the U.S. had been snooping VDT images since the early 1970's or earlier. van Eck just made it public by publishing a paper on how to do it with $100 of Radio Shack parts. cryptome.org [cryptome.org] forum postings include a reference to a 1973 book.

Cryptonomicon?

[chochos]

So the hack that is mentioned in Cryptonomicon is pure sci-fi? It says that van-eck was possible on a laptop because of some backwards compatibility issue, in which laptops still refreshed the display 60 times per second or so, even if they didn't need to, so you could pick up on that radiation or something for the phreaking. It wasn't really possible until now? Or is this a different method where you can spy on LCD's using some method specific to LCD's?

Re:HDMI?

[pushing-robot]

If they were able to read a signal from a laptop, they were reading a digital signal. Laptops have always used a digital display interface.

But yeah, encrypted HDMI would make it more difficult.

TEMPEST in a teacup

[Anonymous Coward]

Long before Van Eck publicly demonstrated it, the NSA was well aware of the problem. It extends beyond the CRT. NSA created the TEMPEST program to reduce radiation of information.

Simply put, change the voltage level or current level of a device and you generate a signal that is conducted along wires and other conductive paths and radiated from those conductive paths. Interception of the conducted or radiated changes can be used to re-create
the original information. Wether the information is in serial, paralell or raster format it is a relatively trivial problem given some time and computing resources.

Is it a problem for most of us? Given that someone will try the easiest ways to get the information, using Van Eck or other types of TEMPEST
attacks is much less likely than social engineering or other means to get your information.

Re:HDMI?

[chgros]

I'm skeptical of the idea that the main video link will be encrypted any time soon though, because of the immense bandwidth involved.
I thought that was already done.

http://en.wikipedia.org/wiki/HDCP [wikipedia.org]

TEMPEST

[Detritus]

The NSA, and other intelligence agencies, have been exploiting stuff like this for more than fifty years. Technology changes, but the fundamental principle, interception of EM radiation stays the same. You can even spy on certain models of electric typewriters. If you ever get the chance to look at TEMPEST certified hardware, you will see the lengths that the engineers have to go to, to shield and filter an electronics device. Besides the box itself, all cables have to be well shielded and filtered, or they just function as antennas for your sensitive data.

Work done three years ago

[Tom Womack]

This really isn't new news; the work was done in 2004 and presented as

http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf [cam.ac.uk]

as well as countermeasures; randomising the low-order bit of all your pixels anew in every frame would be ideal, but using colours which have the same number of bit transitions in 'black' and 'white' works almost as well. Looks a bit ugly to have your screen entirely in off-greens and off-pinks, but that's the price of security.

HDCP actually helps against this kind of thing, because there are no long lengths of wire carrying unencoded video signal.

Re:less social intelligence than a 13 year old

[mikael]

"i have a friend, ehem, who is worried about this kind of hack, ehem, and i was, i mean he was, wondering what he could do to guard against it?"

Sit inside a Faraday cage ...

but make sure you always carry a spare key for the door with you

More information

[Masato]

I recently finished a research project on this subject and have actually had a chance to read a few of Kuhn's paper. From what I've seen and what other researchers have done, not a lot of thought has gone into making most equipment EMSEC compatible, so I'm not at all surprised by this finding. Most of the time, having "secure" equipment isn't required as very few individuals beyond large government entities have the money, resources and knowledge to be able to conduct such an attack. Extensive design and testing is required to ensure that equipment conforms to EMSEC standards and most companies are simply not willing to spend the extra money to certify their equipment for something very few people know anything about. According to Kuhn (see Security Limits for Compromising Emanations [cam.ac.uk] - warning PDF) emissions levels need to be as much as six orders of magnitude lower to prevent unauthorized snooping on most modern equipment.

Another paper that is very relevant to this article is from a Japanese group who did research on the same topic (LCDs, laptops, etc) A Trial of the Interception of Display Image using Emanation of Electromagnetic Wave [www.nict.jp] - again, a PDF. What's interesting to note from this paper is the fact that the researchers found that minor inconsistencies in the production of the equipment caused slightly different synchronous frequencies to be detected. This means in an office it could be possible for an attacker to "choose" which monitor they wish to look at by its frequency signature.

Re:Not too surprising

[Ungrounded Lightning]

I'm not an expert on Van Eck phreaking, so it's possible that the previously used methods were incapable of detecting this for whatever reason...

Previous methods could intercept the signal. Processing it back into an image was the problem.

CRTs essentially modulate the beam current with the basic video signal. Leakage of that puts into the air precicely what you need to produce a copy of the image part (though the current is cut off for retrace). Also pick up and sort out the spikes from the H and V deflection, or interpolate the image sync from the dark areas in the video, and you can reconstruct the sync signals and have a fully-functional video signal, ready to put into another CRT. (Use a directional antenna so you don't jam your own receiver by looking at the result.)

The signal to the laptop's LCD display also leaks. But the leaked signal isn't such a straightforward copy of an analog video signal, ready to be fed to a monitor. Much more processing.

Which they've now managed to do.

Re:Telling question

[Anonymous Coward]

This was part of Markus's Ph.D. thesis filed in 2003. Why is this coming out now?

Old, Old News; and the old one's a better source.

[Anonymous Coward]

Come on! There was a paper on this exact topic presented at Privacy Enhancing Technologies 2004. Don't you guys keep up with your journals?

Kuhn, Markus G. "Electromagnetic Eavesdropping Risks of Flat-Panel Displays." Privacy Enhancing Technologies,
4th International Workshop, PET 2004, Toronto, Canada, May 26-28, 2004. Revised Selected Papers. Springer.

Paper link:
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf [cam.ac.uk]

And author homepage:
http://www.cl.cam.ac.uk/~mgk25/ [cam.ac.uk]

IIRC, this paper has some really interesting stuff that totally debunks the notion that laptops, or indeed LCDs in general, are more TEMPEST-safe than CRTs. I believe the high speed digital signals (which, in laptops, transit proprietary buses but are no more protected for it, and are in fact less shielded than external cables) actually make the attacks *easier.* There's also interesting stuff about introducing interference into the signals to distort evesdropping, but I think it does not work satisfactorily. Basically, until we all use encrypted DVI (shudder--concieved to limit the ablility of consumers to interact with and utilize their own equipment by the MAFIAA--but still possibly useful for privacy), our video signals are being broadcast constantly. Some irony there...