Emission Security
Introduction
to do
History
19th century
First appearance of the emanation problem was in the 19th century, when extensive telephone wire networks were laid out. It came to cross-talks between telephone wires. People sometimes could hear other conversations on their telephone line. One way of dealing with it was to use "transpositions," whereby the wires were crossed over at intervals to make the circuit a twisted pair.
1914
The flrst appearance of compromising emanations in warfare seems to date to 1914. Field telephone wires were laid parallel to enemy trenches to connect the troops with their headquarters. The effect was again cross-talks. Listening posts were quickly established and protective measures were introduced, including the use of twisted-pair cable.
Mid-1950s
The exact date is not known in public, but it happens sometime in 1950, when the U.S. Government becomes concerned about the Emission Security problem and establishes the TEMPEST Program. The first TEMPEST standards were developed to deal with the increasing danger of espionage.
1960
In Great Britain were TV detector vans used to find illegal owners of television sets. The reason was, that TV owners had to pay an annual license fee.
1960
In 1960 was the british secret service MI5 ordered to eavesdrop the French embassy in the course of negotiations about joining the European Economic Community. The crypto analysts were not able to decrypt the enciphered signal from the French embassy, but they noticed a faint secondary signal, which was the plain text.
1970s
All about the title Emission Security vanished from the open literature.
1984
The secret service of GDR called MfS spied out the Ministry of Foreign Trade by eavesdropping the compromising emanations.
1985
The dutch researcher Wim van Eck published an unclassified paper of security risks of emanations from computer monitors. This paper caused consternation in the security community, where all thought, that those attacks were only possible with very high tech equipment. But Wim van Eck eavesdropped a system using just 15$ worth of equipment plus a television set. With this paper Emission Security came back to public attention.
1990s
Many published research about Emission Security were made for example about Vulnerabilities of smart cards (Markus Kuhn and Ross Anderson 1996) and Vulnerabilities of crypto-systems (Paul Kocher). Kuhn and Anderson also published a paper showing that compromising emanations from PCs could be countered with measures in software. 1995 were also basic information of the TEMPEST standard published.
Physical Backgrounds
The strongest transmitters in PCs are displaying devices like graphic cards, video cables or monitors, because they work with high frequencies and they need much power. So the emanation of these devices is high energetical and it has high ranges. In addition are visual signals periodical (e.g. the output of visual memory of a graphic card is 70-100 times in one second). Periodic signals are easy to eavesdrop, because the noise can be reduced by middling. These components radiate in three frequency bands:
- The vertical diverting signal works in lower kHz band. - The horizontal diverting signal works in lower MHz band (Long and medium wave). - The video signal has frequencies up to 100 MHz.
The diverting signals are very easy to eavesdrop and reconstruct, but they contain no important information like the video signal. The video signal is an overlapping of sinus signals with different frequencies. Via fourier transformation is it possible to get the spectrum of the video signal which contain all information to reconstruct it. The spectrum is repeated at all multiples of the pixel cycle (reciprocal of time the electron ray needs to get from one pixel to his neighbour). So the information is also available at higher frequencies. This is called "upper waves". The intensity of upper waves depends on sharpness of the pixels.
Video cable, power supply and amplifier of monitors work like antennas especially for upper waves. But not all informations can be reconstructed from emanations. Letters produce a wide band signal because of their thin vertical lines. Texts contain many redundancy because they use only a subset of all possible pixel-patterns. So Texts are easy to reconstruct. But there is no procedure known to rebuild colour information. So pictures are difficult to reconstruct.
Attacks
to do
Countermeasures
Countermeasures against bugs
Certainly the compromising emanations can be eavesdropped in passive ways, but often the eavesdropper cannot get close enough for long time to get all information from an IT-device he needs. So he will use bugs, which reinforce these signals. There are some countermeasures against bugs, but they all have disadvantages.
First of all is it possible to use "non linear junction detectors" to find hidden electronic equipment at close range. It works because the transistors, diodes, and other nonlinear junctions in electronic equipment have the effect of rectifying incident radio frequency signals. The device broadcasts a weak radio signal, and listens for harmonics of this signal. However, if the bugs were planted near other electronics then the nonlinear junction detector is not much help.
Secondly there are some "surveillance receivers" on the market. This one detect conspicuous signals in the radio spectrum between 10 kHz and 3 Ghz, which cannot be explained as broadcast, police, air traffic control and so on. But there are bugs which operate on same frequencies and protocols like mobile phones.
The most drastic countermeasure is to build the buildings completely shielded or underground. In that case are bugs useless because their signals wont get outside. This solution is sometimes used for military organisations.
Countermeasures against emanation
Without doubt the best solution is to place sensitive devices in a Faraday cage. That means that the room is completely shielded and no wires (e.g. power supply or telephone) and no pipelines (e.g. for heatimg) should get outside.
A good base is to do red/black separation. Red equipment (carrying confidential data) has to be isolated from black equipment (sends signals to outside world). But some devices are red and black (e.g. crypting machines). Another problem is, that the standards for properly shielded hardware are classified. Only a few firms produce this hardware in small quantities. Unnecessary to mention that this hardware is very expensive.
Another way is the Zone Model. The Zone Model takes into account the propagation conditions for compromising emanations. The attenuation of radiation from IT device to the potential receiver is determined by metrological means. Basing on that the environment is divided in security-critical Zones. Siemens offers zone0-devices, which have very low emanation (not possible to eavesdrop outside the closed zone called zone0). Zone0-devices must be registered with the BSI (Bundesamt für Sicherheit in der Informationstechnik). They cost tenfold more than comparable devices without this standard.
One word on Jammers: Jammers are inefficient, because their strength is restricted by german law. In addition can the signals of jammers calculated out by eavesdropper after observing it for several time, if the jammers signal is not correlated with the other signals.
A much cheaper and efficient solution is "Soft Tempest". Soft Tempest is based on the work by Markus Kuhn and Ross Anderson and uses software techniques to filter, mask, or render incomprehensible the information bearing electromagnetic emanations from a computer system. For example is it possible to remove the top 30% of fourier transform of a standard font with a low-pass-filter. The user dont notice that but the eavesdropper is dependent on these "upper waves".
Links
Interesting text in german by Sebastian Lohmann from HU in 1999
Wikipedia article about TEMPEST
Very good unofficial TEMPEST information page