Emission Security: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
No edit summary
 
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==


=== What is Emission Security ? (EMSEC) ===
----
Computer and communications devices emit numerous forms of energy. It is part of their normal operation: the user wants feedback and needs to hear or to see something.
to do

But more emissions than most users are aware of, are the result of unintended side effects. E.g. anything that can carry a current can act like an antenna. When a conductor drives an oscillating current, which is very common in digital devices, it emits electromagnetic radiation carrying both power and signals away from the source.

The trouble begins when the emitted energy carries information about processed data. An eavesdropper can intercept and analyse such compromising emanations to steal information.


=== A word on TEMPEST ===
TEMPEST is often used more broadly for the entire field of EMSEC, but originally it is a U.S. government code word for a set of standards limiting electric or electromagnetic radiation emanations from electronic equipment to prevent electronic espionage. Find the complete article on [http://en.wikipedia.org/wiki/Emission_security Wikipedia]. Much knowledge in this area is classified military research, but basic information has become available since 1995. The following examples show types of compromising emanations that have been demonstrated in the open literature.


=== Types of compromising emanations ===

* '''Electromagnetic waves radiated into free space or along metallic conductors'''
Cathode-ray tube (CRT) displays act as a parasitic transmission antenna, they emit video signal as electromagnetic waves. [Eck1985]

* '''Cross-Talk'''
Where data and telephone lines share the same cable conduit for several meters information from one cable may be transmitted to the other.

* '''Power-supply current fluctuations'''
Line drivers for data cables have data-dependent power consumption, which can affect the supply voltage. [Smulders1990]

* '''Vibrations, acoustic and ultrasonic emissions'''
Acoustic emanations of matrix printers can carry substantial information about the text being
printed. [SEPI1991]
PC keyboards are vulnerable to attacks based on differentiating the sound emanated by different keys. [Asonov2004]

* '''High-frequency optical signals'''
LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. [Loughry2002]




Line 8: Line 36:


----
----
'''19th century'''
to do

First appearance of the emanation problem was in the 19th century, when extensive telephone wire networks were laid out. It came to cross-talks between telephone wires. People sometimes could hear other conversations on their telephone line. One way of dealing with it was to use "transpositions," whereby the wires were crossed over at intervals to make the circuit a twisted pair.


'''1914'''
The flrst appearance of compromising emanations in warfare seems to date to 1914. Field telephone wires were laid parallel to enemy trenches to connect the troops with their headquarters. The effect was again cross-talks. Listening posts were quickly established
and protective measures were introduced, including the use of twisted-pair cable.


'''Mid-1950s'''

The exact date is not known in public, but it happens sometime in 1950, when the U.S. Government becomes concerned about the Emission Security problem and establishes the TEMPEST Program. The first TEMPEST standards were developed to deal with the increasing danger of espionage.


'''1960'''

In Great Britain were TV detector vans used to find illegal owners of television sets. The reason was, that TV owners had to pay an annual license fee.


'''1960'''

In 1960 was the british secret service MI5 ordered to eavesdrop the French embassy in the course of negotiations about joining the European Economic Community. The crypto analysts were not able to decrypt the enciphered signal from the French embassy, but they noticed a faint secondary signal, which was the plain text.


'''1970s'''

All about the title Emission Security vanished from the open literature.


'''1984'''

The secret service of GDR called MfS spied out the Ministry of Foreign Trade by eavesdropping the compromising emanations.


'''1985'''

The dutch researcher Wim van Eck published an unclassified paper of security risks of emanations from computer monitors. This paper caused consternation in the security community, where all thought, that those attacks were only possible with very high tech equipment. But Wim van Eck eavesdropped a system using just 15$ worth of equipment plus a television set. With this paper Emission Security came back to public attention.


'''1990s'''

Many published research about Emission Security were made for example about Vulnerabilities of smart cards (Markus Kuhn and Ross Anderson 1996) and Vulnerabilities of crypto-systems (Paul Kocher). Kuhn and Anderson also published a paper showing that compromising emanations from PCs could be countered with measures in software.
1995 were also basic information of the TEMPEST standard published.




== Physical Backgrounds==
== Physical Backgrounds==



----
The strongest transmitters in PCs are displaying devices like graphic cards, video cables or monitors, because they work with high frequencies and they need much power. So the emanation of these devices is high energetical and it has high ranges. In addition are visual signals periodical (e.g. the output of visual memory of a graphic card is 70-100 times in one second). Periodic signals are easy to eavesdrop, because the noise can be reduced by middling.
to do
These components radiate in three frequency bands:
- The vertical diverting signal works in lower kHz band.
- The horizontal diverting signal works in lower MHz band (Long and medium wave).
- The video signal has frequencies up to 100 MHz.

The diverting signals are very easy to eavesdrop and reconstruct, but they contain no important information like the video signal. The video signal is an overlapping of sinus signals with different frequencies. Via fourier transformation is it possible to get the spectrum of the video signal which contain all information to reconstruct it. The spectrum is repeated at all multiples of the pixel cycle (reciprocal of time the electron ray needs to get from one pixel to his neighbour). So the information is also available at higher frequencies. This is called "upper waves". The intensity of upper waves depends on sharpness of the pixels.

Video cable, power supply and amplifier of monitors work like antennas especially for upper
waves. But not all informations can be reconstructed from emanations. Letters produce a wide band signal because of their thin vertical lines. Texts contain many redundancy because they use only a subset of all possible pixel-patterns. So Texts are easy to reconstruct.
But there is no procedure known to rebuild colour information. So pictures are difficult to reconstruct.




== Attacks ==
== Attacks ==


=== Video Display Units ===
----
In the early 80's the Dutch PTT (Post, Telephone, and Telegraph) has tested monitors and keyboards connected to telephone lines in homes for sending and receiving mail. During the tests some users complained about interference from their neighbor's units. Several persons were able to read a neighbor's mail as the neighbor viewed electronic mail on the screen at home.
to do


Wim Van Eck at the Dr. Neher Laboratories was assigned the task of developing an inexpensive detection unit to monitor RF electromagnetic radiation to evaluate monitors to help with installation problems.

It was considered very difficult to reconstruct the data hidden in the radiated field, only possible for professionals with access to very sophisticated detection and decoding equipment. Van Ecks research proofed this to be wrong. He made a demostration with material for less than $220, based on a modified TV set.

The structure of the video signal shows remarkable resemblance to a normal broadcast TV signal. The pixel rate may even be located inside the TV broadcast bonds, only the synchronisation
information is missing and has to be reconstructed. The signal is emited by the CRT itself and by the cable connecting the display with the hardware generating the image. As a result even LCD displays are sensitive to the attac. Try out [http://www.erikyyy.de/tempest/ Tempest for Eliza] to see that this is more than theory.

[Eck1985]


=== Keyboard Acoustic Emanations ===
The sound of clicks produced when typing on a PC keybord can differ slightly from key to key, although the clicks of different keys sound very similar to the human ear. A neural network can be trained to differentiate the keys to successfully carry out an attack. The keyboard plate acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher.

The attac is very cheap. All you need is a computer, standard software to record the clicks and to train a neural network (available for free - read the paper) and a microphone.

The attac is simple. It is non-invasive - no physical intrusion into the system is needed and the quality of the sound is not very important. It can be recorded from substantial distance (even with a cell phone).

[Asonov2004]


=== Radiation from RS-232 Cables ===
Experiments on eavesdropping RS-232 cable signals prove that it is possible to intercept data signals running along an RS-232 cable, by picking up and decoding the electromagnetic radiation produced by the cable. The rise and fall times of the data signal are very short. Consequently, they correspond to high frequency components resulting in considerable radiation. In many cases, the RS-232 cables are not shielded, or the shield is not adequately
connected to the equipment. Usually, the data is coded in well-known character sets, like ASCII.

The interception-distance is limited to several meters, but the needed equipment is small, simple and cheap: a pocket radio receiver, a tape recorder and a computer to analyse the data.

[Smulders1990]


== Countermeasures ==
== Countermeasures ==


=== Countermeasures against bugs ===
----
to do


Certainly the compromising emanations can be eavesdropped in passive ways, but often the eavesdropper cannot get close enough for long time to get all information from an IT-device he needs. So he will use bugs, which reinforce these signals. There are some countermeasures against bugs, but they all have disadvantages.

First of all is it possible to use "non linear junction detectors" to find hidden electronic equipment at close range. It works because the transistors, diodes, and other nonlinear junctions in electronic equipment have the effect of rectifying incident radio frequency signals. The device broadcasts a weak radio signal, and listens for harmonics of this signal. However, if the bugs were planted near other electronics then the nonlinear junction detector is not much help.

Secondly there are some "surveillance receivers" on the market. This one detect conspicuous signals in the radio spectrum between 10 kHz and 3 Ghz, which cannot be explained as broadcast, police, air traffic control and so on. But there are bugs which operate on same frequencies and protocols like mobile phones.

The most drastic countermeasure is to build the buildings completely shielded or underground. In that case are bugs useless because their signals wont get outside. This solution is sometimes used for military organisations.

=== Countermeasures against emanation ===

Without doubt the best solution is to place sensitive devices in a Faraday cage. That means that the room is completely shielded and no wires (e.g. power supply or telephone) and no pipelines (e.g. for heatimg) should get outside.

A good base is to do red/black separation. Red equipment (carrying confidential data) has to be isolated from black equipment (sends signals to outside world). But some devices are red and black (e.g. crypting machines). Another problem is, that the standards for properly shielded hardware are classified. Only a few firms produce this hardware in small quantities. Unnecessary to mention that this hardware is very expensive.

Another way is the Zone Model. The Zone Model takes into account the propagation conditions for compromising emanations. The attenuation of radiation from IT device to the potential receiver is determined by metrological means. Basing on that the environment is divided in security-critical Zones. Siemens offers zone0-devices, which have very low emanation (not possible to eavesdrop outside the closed zone called zone0). Zone0-devices must be registered with the BSI (Bundesamt für Sicherheit in der Informationstechnik). They cost tenfold more than comparable devices without this standard.

One word on Jammers: Jammers are inefficient, because their strength is restricted by german law. In addition can the signals of jammers calculated out by eavesdropper after observing it for several time, if the jammers signal is not correlated with the other signals.

A much cheaper and efficient solution is "Soft Tempest". Soft Tempest is based on the work by Markus Kuhn and Ross Anderson and uses software techniques to filter, mask, or render incomprehensible the information bearing electromagnetic emanations from a computer system. For example is it possible to remove the top 30% of fourier transform of a standard font with a low-pass-filter. The user dont notice that but the eavesdropper is dependent on these "upper waves".

Figures 15.4 and 15.5 display photographs of the screen with the two video
signals from Figures 15.2 and 15.3. The difference in the emitted RF is dramatic, as illustrated in the photographs in Figures 15.6 and 15.7. These show the potentially compromising emanations, as seen by a Tempest monitoring receiver.

[[Image:MarkusKuhnRossAnderson_SoftTempest.jpg|left|Source: 1]]




















































Source: [1]
== Links ==
== Links ==


----
----
[http://www.informatik.hu-berlin.de/~lohmann/tempest.html Interesting text in german by Sebastian Lohmann from HU in 1999]

[http://www.bsi.bund.de/literat/faltbl/012_blab.htm Part of Homepage from BSI (Bundesamt für Sicherheit in der Informationstechnik) about Compromising Emanations]

[http://en.wikipedia.org/wiki/Emission_security Wikipedia article about TEMPEST]

[http://www.eskimo.com/~joelm/tempest.html Very good unofficial TEMPEST information page]



== Bibliography ==
== Bibliography ==

[1] Ross Anderson and Markus Kuhn - Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations [http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf]

[Eck1985] Van Eck - Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?, 1985 [http://jya.com/emr.pdf pdf]

[Smulders1990] Peter Smulders - The Threat of Information Theft by Reception of Electromagnetic Radiation from RS-232 Cables, 1990 [http://jya.com/rs232.pdf pdf]

[SEPI1991]
Symposium on electromagnetic security for information protection (SEPI'91), Proceedings, Rome, Italy, 21-22 November 1991

[Asonov2004] Dmitri Asonov and Rakesh Agrawal - Keyboard Acoustic Emanations, 2004 [http://www.almaden.ibm.com/software/quest/Publications/papers/ssp04.pdf pdf]

[Loughry2002] Joe Loughry and David A. Umphress - Information Leakage from Optical Emanations, 2002 [http://applied-math.org/optical_tempest.pdf pdf]

Latest revision as of 12:51, 3 February 2005

Introduction

What is Emission Security ? (EMSEC)

Computer and communications devices emit numerous forms of energy. It is part of their normal operation: the user wants feedback and needs to hear or to see something.

But more emissions than most users are aware of, are the result of unintended side effects. E.g. anything that can carry a current can act like an antenna. When a conductor drives an oscillating current, which is very common in digital devices, it emits electromagnetic radiation carrying both power and signals away from the source.

The trouble begins when the emitted energy carries information about processed data. An eavesdropper can intercept and analyse such compromising emanations to steal information.


A word on TEMPEST

TEMPEST is often used more broadly for the entire field of EMSEC, but originally it is a U.S. government code word for a set of standards limiting electric or electromagnetic radiation emanations from electronic equipment to prevent electronic espionage. Find the complete article on Wikipedia. Much knowledge in this area is classified military research, but basic information has become available since 1995. The following examples show types of compromising emanations that have been demonstrated in the open literature.


Types of compromising emanations

  • Electromagnetic waves radiated into free space or along metallic conductors

Cathode-ray tube (CRT) displays act as a parasitic transmission antenna, they emit video signal as electromagnetic waves. [Eck1985]

  • Cross-Talk

Where data and telephone lines share the same cable conduit for several meters information from one cable may be transmitted to the other.

  • Power-supply current fluctuations

Line drivers for data cables have data-dependent power consumption, which can affect the supply voltage. [Smulders1990]

  • Vibrations, acoustic and ultrasonic emissions

Acoustic emanations of matrix printers can carry substantial information about the text being printed. [SEPI1991] PC keyboards are vulnerable to attacks based on differentiating the sound emanated by different keys. [Asonov2004]

  • High-frequency optical signals

LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. [Loughry2002]


History


19th century

First appearance of the emanation problem was in the 19th century, when extensive telephone wire networks were laid out. It came to cross-talks between telephone wires. People sometimes could hear other conversations on their telephone line. One way of dealing with it was to use "transpositions," whereby the wires were crossed over at intervals to make the circuit a twisted pair.


1914

The flrst appearance of compromising emanations in warfare seems to date to 1914. Field telephone wires were laid parallel to enemy trenches to connect the troops with their headquarters. The effect was again cross-talks. Listening posts were quickly established and protective measures were introduced, including the use of twisted-pair cable.


Mid-1950s

The exact date is not known in public, but it happens sometime in 1950, when the U.S. Government becomes concerned about the Emission Security problem and establishes the TEMPEST Program. The first TEMPEST standards were developed to deal with the increasing danger of espionage.


1960

In Great Britain were TV detector vans used to find illegal owners of television sets. The reason was, that TV owners had to pay an annual license fee.


1960

In 1960 was the british secret service MI5 ordered to eavesdrop the French embassy in the course of negotiations about joining the European Economic Community. The crypto analysts were not able to decrypt the enciphered signal from the French embassy, but they noticed a faint secondary signal, which was the plain text.


1970s

All about the title Emission Security vanished from the open literature.


1984

The secret service of GDR called MfS spied out the Ministry of Foreign Trade by eavesdropping the compromising emanations.


1985

The dutch researcher Wim van Eck published an unclassified paper of security risks of emanations from computer monitors. This paper caused consternation in the security community, where all thought, that those attacks were only possible with very high tech equipment. But Wim van Eck eavesdropped a system using just 15$ worth of equipment plus a television set. With this paper Emission Security came back to public attention.


1990s

Many published research about Emission Security were made for example about Vulnerabilities of smart cards (Markus Kuhn and Ross Anderson 1996) and Vulnerabilities of crypto-systems (Paul Kocher). Kuhn and Anderson also published a paper showing that compromising emanations from PCs could be countered with measures in software. 1995 were also basic information of the TEMPEST standard published.


Physical Backgrounds

The strongest transmitters in PCs are displaying devices like graphic cards, video cables or monitors, because they work with high frequencies and they need much power. So the emanation of these devices is high energetical and it has high ranges. In addition are visual signals periodical (e.g. the output of visual memory of a graphic card is 70-100 times in one second). Periodic signals are easy to eavesdrop, because the noise can be reduced by middling. These components radiate in three frequency bands:

 - The vertical diverting signal works in lower kHz band.
 - The horizontal diverting signal works in lower MHz band (Long and medium wave).
 - The video signal has frequencies up to 100 MHz.

The diverting signals are very easy to eavesdrop and reconstruct, but they contain no important information like the video signal. The video signal is an overlapping of sinus signals with different frequencies. Via fourier transformation is it possible to get the spectrum of the video signal which contain all information to reconstruct it. The spectrum is repeated at all multiples of the pixel cycle (reciprocal of time the electron ray needs to get from one pixel to his neighbour). So the information is also available at higher frequencies. This is called "upper waves". The intensity of upper waves depends on sharpness of the pixels.

Video cable, power supply and amplifier of monitors work like antennas especially for upper waves. But not all informations can be reconstructed from emanations. Letters produce a wide band signal because of their thin vertical lines. Texts contain many redundancy because they use only a subset of all possible pixel-patterns. So Texts are easy to reconstruct. But there is no procedure known to rebuild colour information. So pictures are difficult to reconstruct.


Attacks

Video Display Units

In the early 80's the Dutch PTT (Post, Telephone, and Telegraph) has tested monitors and keyboards connected to telephone lines in homes for sending and receiving mail. During the tests some users complained about interference from their neighbor's units. Several persons were able to read a neighbor's mail as the neighbor viewed electronic mail on the screen at home.

Wim Van Eck at the Dr. Neher Laboratories was assigned the task of developing an inexpensive detection unit to monitor RF electromagnetic radiation to evaluate monitors to help with installation problems.

It was considered very difficult to reconstruct the data hidden in the radiated field, only possible for professionals with access to very sophisticated detection and decoding equipment. Van Ecks research proofed this to be wrong. He made a demostration with material for less than $220, based on a modified TV set.

The structure of the video signal shows remarkable resemblance to a normal broadcast TV signal. The pixel rate may even be located inside the TV broadcast bonds, only the synchronisation information is missing and has to be reconstructed. The signal is emited by the CRT itself and by the cable connecting the display with the hardware generating the image. As a result even LCD displays are sensitive to the attac. Try out Tempest for Eliza to see that this is more than theory.

[Eck1985]


Keyboard Acoustic Emanations

The sound of clicks produced when typing on a PC keybord can differ slightly from key to key, although the clicks of different keys sound very similar to the human ear. A neural network can be trained to differentiate the keys to successfully carry out an attack. The keyboard plate acts like a drum, and each key hits the drum in a different location and produces a unique frequency or sound that the neural networking software can decipher.

The attac is very cheap. All you need is a computer, standard software to record the clicks and to train a neural network (available for free - read the paper) and a microphone.

The attac is simple. It is non-invasive - no physical intrusion into the system is needed and the quality of the sound is not very important. It can be recorded from substantial distance (even with a cell phone).

[Asonov2004]


Radiation from RS-232 Cables

Experiments on eavesdropping RS-232 cable signals prove that it is possible to intercept data signals running along an RS-232 cable, by picking up and decoding the electromagnetic radiation produced by the cable. The rise and fall times of the data signal are very short. Consequently, they correspond to high frequency components resulting in considerable radiation. In many cases, the RS-232 cables are not shielded, or the shield is not adequately connected to the equipment. Usually, the data is coded in well-known character sets, like ASCII.

The interception-distance is limited to several meters, but the needed equipment is small, simple and cheap: a pocket radio receiver, a tape recorder and a computer to analyse the data.

[Smulders1990]

Countermeasures

Countermeasures against bugs

Certainly the compromising emanations can be eavesdropped in passive ways, but often the eavesdropper cannot get close enough for long time to get all information from an IT-device he needs. So he will use bugs, which reinforce these signals. There are some countermeasures against bugs, but they all have disadvantages.

First of all is it possible to use "non linear junction detectors" to find hidden electronic equipment at close range. It works because the transistors, diodes, and other nonlinear junctions in electronic equipment have the effect of rectifying incident radio frequency signals. The device broadcasts a weak radio signal, and listens for harmonics of this signal. However, if the bugs were planted near other electronics then the nonlinear junction detector is not much help.

Secondly there are some "surveillance receivers" on the market. This one detect conspicuous signals in the radio spectrum between 10 kHz and 3 Ghz, which cannot be explained as broadcast, police, air traffic control and so on. But there are bugs which operate on same frequencies and protocols like mobile phones.

The most drastic countermeasure is to build the buildings completely shielded or underground. In that case are bugs useless because their signals wont get outside. This solution is sometimes used for military organisations.

Countermeasures against emanation

Without doubt the best solution is to place sensitive devices in a Faraday cage. That means that the room is completely shielded and no wires (e.g. power supply or telephone) and no pipelines (e.g. for heatimg) should get outside.

A good base is to do red/black separation. Red equipment (carrying confidential data) has to be isolated from black equipment (sends signals to outside world). But some devices are red and black (e.g. crypting machines). Another problem is, that the standards for properly shielded hardware are classified. Only a few firms produce this hardware in small quantities. Unnecessary to mention that this hardware is very expensive.

Another way is the Zone Model. The Zone Model takes into account the propagation conditions for compromising emanations. The attenuation of radiation from IT device to the potential receiver is determined by metrological means. Basing on that the environment is divided in security-critical Zones. Siemens offers zone0-devices, which have very low emanation (not possible to eavesdrop outside the closed zone called zone0). Zone0-devices must be registered with the BSI (Bundesamt für Sicherheit in der Informationstechnik). They cost tenfold more than comparable devices without this standard.

One word on Jammers: Jammers are inefficient, because their strength is restricted by german law. In addition can the signals of jammers calculated out by eavesdropper after observing it for several time, if the jammers signal is not correlated with the other signals.

A much cheaper and efficient solution is "Soft Tempest". Soft Tempest is based on the work by Markus Kuhn and Ross Anderson and uses software techniques to filter, mask, or render incomprehensible the information bearing electromagnetic emanations from a computer system. For example is it possible to remove the top 30% of fourier transform of a standard font with a low-pass-filter. The user dont notice that but the eavesdropper is dependent on these "upper waves".

Figures 15.4 and 15.5 display photographs of the screen with the two video signals from Figures 15.2 and 15.3. The difference in the emitted RF is dramatic, as illustrated in the photographs in Figures 15.6 and 15.7. These show the potentially compromising emanations, as seen by a Tempest monitoring receiver.

Source: 1



























Source: [1]

Links


Interesting text in german by Sebastian Lohmann from HU in 1999

Part of Homepage from BSI (Bundesamt für Sicherheit in der Informationstechnik) about Compromising Emanations

Wikipedia article about TEMPEST

Very good unofficial TEMPEST information page


Bibliography

[1] Ross Anderson and Markus Kuhn - Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf

[Eck1985] Van Eck - Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?, 1985 pdf

[Smulders1990] Peter Smulders - The Threat of Information Theft by Reception of Electromagnetic Radiation from RS-232 Cables, 1990 pdf

[SEPI1991] Symposium on electromagnetic security for information protection (SEPI'91), Proceedings, Rome, Italy, 21-22 November 1991

[Asonov2004] Dmitri Asonov and Rakesh Agrawal - Keyboard Acoustic Emanations, 2004 pdf

[Loughry2002] Joe Loughry and David A. Umphress - Information Leakage from Optical Emanations, 2002 pdf