Schneier on Security
A blog covering security and security technology.
« Airlines Profiting from TSA Rules |
| Our Data, Ourselves »
May 20, 2008
Spying on Computer Monitors Off Reflective Objects
At Saarland University, researchers trained a $500 telescope on a teapot near a computer monitor 5 meters away. The images are tiny but amazingly clear, professor Michael Backes told IDG.
All it took was a $500 telescope trained on a reflective object in front of the monitor. For example, a teapot yielded readable images of 12 point Word documents from a distance of 5 meters (16 feet). From 10 meters, they were able to read 18 point fonts. With a $27,500 Dobson telescope, they could get the same quality of images at 30 meters.
Here's the paper:
We present a novel eavesdropping technique for spying at a distance on data that is displayed on an arbitrary computer screen, including the currently prevalent LCD monitors. Our technique exploits reflections of the screen’s optical emanations in various objects that one commonly finds in close proximity to the screen and uses those reflections to recover the original screen content. Such objects include eyeglasses, tea pots, spoons, plastic bottles, and even the eye of the user. We have demonstrated that this attack can be successfully mounted to spy on even small fonts using inexpensive, off-the-shelf equipment (less than 1500 dollars) from a distance of up to 10 meters. Relying on more expensive equipment allowed us to conduct this attack from over 30 meters away, demonstrating that similar attacks are feasible from the other side of the street or from a close-by building. We additionally establish theoretical limitations of the attack; these limitations may help to estimate the risk that this attack can be successfully mounted in a given environment.
Posted on May 20, 2008 at 10:44 AM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Didn't the bods at Cambridge lads mention this in their paper on Optical Tempest.
I guess I will have to go dig out the paper and read it.
nifty research - an idea right out of Bladerunner. I'm truly amazed that they got usable images off plastic soda bottles. If you see someone with a telescope outside your window it's time to draw the shades.
They have binoculars with built-in digital cameras. Real snoops would be able to build something a tad smaller than telescope.
Yup my mind is not letting me down 8)
Have a look at the first paragraph of section 2 of,
"It has of course not escaped the attention of security experts in the past that anu video display surface that is within a line of sight to an eavesdropper's hiding place could be read with the help of a telescope"
Before going on to give a break down of the limiting factors of the process.
So the only new bit is "by reflection", however Markus's paper deals with reflection of the signal off of a wall into the telescope with a photomultiplier attached. So again it appears to have been covered.
All of a sudden, Cliff Stoll's doggedness makes even more sense. :^)
can't find a youtube clip, but I hope they reference the scene in Bladerunner where Deckard zooms in on a reflection in a photograph.
The "traditional" application for this technique is to cheat at cards.
Didn't Bruce run a similar story reprinted from a 1920's magazine last year?
Does anybody know if the 3M privacy filters are effective against this type of eavesdropping?
I was about to comment "that's impressive" and then realized that was the word you used to introduce it. Very nice to have both proof of concept and theoretical limits in the same paper. Interesting, simple, practical, immediately applicable, may I have some more grant money please?
The paper of Markus Kuhn you are referring to is applicable to LCD monitors only, as it exploits time-characteristics of the emanation (the "flickering" of LCD monitors) that are not present with LCD monitors.
Our attack, however, applies to all types of monitors (we are aware of), in particular to LCD monitors.
These privacy filters do not really prevent the attack, as they still let light pass to the user's eye (they better should!), as well as other objects that are located in close proximity to the user. However, the filter prevents reflections in objects placed farther away, thus rendering the attack somehow harder.
Here is a website that offers a 'special high-tech defense' against that type of spying:
I'm partial to the Bamboo anti-high-tech-spying-devices, but they also have 'black out' shades and more.
>>Real snoops would be able to build something a tad smaller than telescope.
Probably not. You quickly run into the laws of optics, which will dictate the minimum lens size needed.
$25K for a Dobsonian telescope??? Gow big was the primary mirror - a couple of meters? Dobs are hardly compact, so even from 30 meters away, they'd be rather obvious!
Similar "scene" in the movie "Rising Sun" with Sean Connery...
... and one need only look at the cover of one of Bruce's books for another example...
That's going to a lot of trouble. Just walk by the windows and look. For example, several Manhattan banks have PCs at street level, by the windows, with their screens fully visible to any pedestrians that just happen to be walking by.
Oh, bother. Time to ban reflective surfaces.
Of course, the paper title could have been much better... As someone here at Oakland suggested, it should have been called "TEMPEST in a Tea-Pot"
"Time to ban reflective surfaces"
I've just finished reading their paper look at the future work.
Where they talk about non reflecting or diffuse images on cloathing or walls...
If they get that going our little cubicles will get lids as well as not having windows.
We will all become one of Douglas Adams mind surfing monks, vowed to forever be locked up in a copper box 8(
The Dobson had a main mirror with diameter 60cm, still a reasonable size that can, e.g., be easily hidden in a flat at the opposite side of a street. What made the Dobson so expensive was the excellent quality of the mirror. If one is only interested in spying, worse mirrors and/or other, more compact telescope designs are preferable. Currently we used Schmidt-Cassegrain-type telescopes.
From the article:
Unfortunately for the NSA, there is
an easy defense. “Closing your
curtains is maybe the best thing
you can do,” Backes said.
Funny he should mention that. A long time ago I worked on a secret project at Lawrence Livermore National Laboratory, and we were forbidden to OPEN our curtains, or venetian blinds in our case. The building code said we had to have windows, and the security code said we couldn't open them :-)
The reflective surface is really a red herring. They could get better image quality by just looking straight at the monitor. I honestly can't believe anyone would bother to pursue this.
Damn it! All those years wearing mirrorshades wanting to be a cyberpunk.........That said, our reality was virtual then.
"better image quality by just looking straight at the monitor"
Funny thing about looking straight at someone's monitor is that it might be caught. I mean if someone did use a privacy screen you could get a reflection at an angle off another surface...
Reflection not only makes perfect sense to me, but it's a technique that has probably been in use since the dawn of spying. In fact, I recently found an executive board at a very large financial company unintentionally reflecting a very sensitive presentation through a small window in a meeting room onto a large black shiny surface in the hallway.
Who knows why facilities put a shiny wall across the hall from a meeting room with a window, but even without one a regular-looking food cart with a teapot would have served the same purpose. While you would certainly get in trouble for standing around and peering through a window at the board you could easily stand a fair distance away and watch the important slides in a reflection.
Oh, and I forgot to mention that while I did not publish a paper on this rather obvious technique (kudos to the authors for thinking this was worthy of publication and actually getting credit), I also did not find a need for such expensive equipment.
They say "All it took was a $500 telescope" but that seems ridiculously bling-bling to me.
All it took was a stroll, a complimentary cup of tea and a thoughtful expression as I stared into the "empty" black space of a wall. If I had wanted more distance so I could sit down and relax more, I might have bothered with a fancy $30 pair of binoculars and a mirror (to reverse the image).
I mean if you spent $500 on a nice spy scope you could likely sit several blocks away and still feel like you were close enough to touch the screen. That seems like overkill to me, but then again I am not the astronomer in the family and I wasn't doing it for academic purposes -- watching for exposures through reflections was actually part of the job for my team.
To be fair, it wasn't just me. Andy (Big Dog) deserves credit for taking this theory early last year and finding exposed reflections from as many angles as there were walls and windows in the buildings we tested.
Yes, and then the cube theory will be complete!
I liked this part of the paper because it shows how absolutely silly things can go if you don't practice real-world analysis:
"The office of one of the authors had five curved reflecting surfaces: a glass, a bottle, a muesli container, a spoon, and the front glass of a wall clock. More tidy offices might be less threatened but the eye of the user (or even his glasses) will be present."
OMFG! He had a spoon in his office!
I thought muesli containers were covered in drab matte images of the Alps, no? Someone in the muesli container business must have been compromised.
Reading this made me think of the cover of "Secrets and Lies". The image contains both a secret AND a lie. The secret is now out. Bonus points if you can explain the lie.
Didn't Austin Powers use the "reflection in the eye" bit to detect an attack from behind?
I think the Vision lab at UIUC has been playing at similar ideas for a while, now.
Here in the UK the MOD have an effective countermeasure, under the codename "Dirty Windows". We find that a thick layer of grime also adds to the blast resistance of the glass :)
Ow, come one! They have been doing this for ages in CSI and such movies / series!
They can even recover high resolution color images from the reflexion on a dirty car door from a low-res black and white surveillance camera!
With some proper software, one could include automatic tracing of the reflective object (eyes or glasses, for example), and correction for distortion caused by imperfections in the reflective object.
I'd think applying a slightly diffuse coating on the windows would fix this, as it prevents the attacker from getting a clear image. As far as I know, this such an analog blur filter cannot (easily) be reversed.
I am amazed that no one else has published a paper on this subject, after all, it has been common knowledge for a long time.
Good for them though, seeing where they go from here is the part that will be very interesting
It just reminded of this little picture (see homepage)
One thing nobody has mentioned but is very important.
Everyboody is talking about the diamater of the mirror as the limiting factor. Although correct it tends to make people think the mirror has a large surface area and is therfore highly visable (that it is a parabola and also has considerable depth).
Going back to astronomy consider a long base line interferometer or optical telescope. Effectivly there are two comparitivly small mirrors at the ends of an optical waveguide (similar to the old range finding binoculars but much much bigger). The effect is the same as using a mirror of the same dimeter except for the fact you lose the light gain.
So in theory such a construction could be tucked under a window sill or guttering on the oposit side of the road and have an effective diamiter as large as distance from and the targets window size allow (which if the reflector is close to the window could be ten or twenty meter diameter).
Also a lense can be quite large and be effectivly very very flat. Without going into all the details imagine the profile of the lense choped into many thousand concentric rings then most of the redundent middle part removed. Then behind this a mirror where it is designed to reflect down and focus in a similar way (for those old enought think back to the Sinclair Pocket Television to see how it can be done). The result is you could end up with what is effectivly a telescope the size of a window but only 4 to 8 inches thick. From the outside it would look a lot like a piece of frosted glass as used in a bathroom with the blind drawn behind it.
Of the two the long base line approach is possibly the simplest to construct and nomore difficult than the skills required by a post grad mechanical / microwave engineer or astronomer.
The latter however would be relativly simple to manufacture in quantity especialy if the fairly predictable manufacturing tollerance / defects where corrected by software.
So anyone feel like going and asking for a big fat grant to do the research?
If you get it please send me a decent bottle or two of micro brewery beer via Bruce as payment 8)
Cliffords Stoll's doggedness is very much necessary today, nevermind the fact that he was at least 20 years ahead of his time."
Well, this is right out of the movie sneakers you know. Using telephoto lens to acquire passwords.
Didn't l0pht create a shoulder surfing password guessing tool, where you could enter the keystrokes you saw and using a dictionary file it would fill in the gaps?
I thought i had a copy stored away somewhere, maybe someone on here remembers what it was called and could point me to it.
I think the real value in this sort of reflective shoulder surfing is in being able to go mobile, so ultimately it'd be best served by the development of special sunglasses with a monitor built into one of the lenses, wirelessly connected to an telescoping earpiece camera designed to look like a cell phone earpiece. This could be quite a menace in places like airport terminals.
My 6mp nikon s4 with the swivel lense would be very good at this, cover it on a table top with a baseball cap, or any cloth, set a coffee cup in front of it, boot it up run the magnification up to the appropriate setting by using an object in another direction at the same distance, then when ready, move the coffee cup out of the way, click the shutter or what ever it is on the digital, and replace the coffee cup over it. you only have to expose a one inch lense for a short moment to get the photo, and you can wait til later to read the result.
when are they going to make camera lenses that have a 90 degree to the barrel porro prism. and where are all those old trench binoculars, in a place like iraq, the ability to reach up and take a photo over a wall and then pull the lens back down would be a very handy thing to have, and the small exposure time of the technique meaning that its only popping up for a few seconds, makes it very covert to anyone who is not looking when it happens.
movies starting with 1960's "Blow Up" and Sean Connerys movie "Rising Sun" also come to mind when refections and magnification are the topics, blade runner as well, probably more.
Austin Powers spoofed James Bond, played by Connery, in Goldfinger.
In that film there is a scene where Bond is kissing 'Bonita'. During the kiss he sees the bad guy ('Capungo') reflected in her eyes.
@angelone: "The reflective surface is really a red herring. They could get better image quality by just looking straight at the monitor. I honestly can't believe anyone would bother to pursue this."
Few people around here with window offices orient their offices so the monitor face is towards the window - that tends to result in sunlight causing glare. Most have them at 90 degrees to the window, and a few have them backs-to-window. In these latter two cases, if you're outside, you need the help of a reflective surface to see the monitor.
Austin Powers and James Bond weren't the first; Sherlock Holmes used a silver teapot.
Oh gee, they discovered the secret of teleprompters.
Just make sure there's no way to see into a room, and that no one's around when you're doing stuff you want to keep private.
If it's super-secret, why would someone do it in the open, anyway?
>>The secret is now out. Bonus points if you can explain the lie.
The "lie" is the idea that there can be digital security in a networked world.
As Cliff Stoll told Congress, total security can only be acheived by "unplugging"-and I plan to do just that...as soon as I'm done catching up on e-mail and chat...and checking my online banking accounts...and buying some plane tickets and making room reservations...and picking up a book, and maybe a telescope, from Amazon to take along on the trip...and posting to this security blog...
there is technology to find and identify a microsoft computer system from a satellite. Each monitor screen is a beacon. There will be technology to listen the monitor which "collects" the magnetic r-g-b picture of the environment which it is pointed to and this technology allows to listen what the monitor see. There will be technology which is advanced and which is hidden in the technology which a "consumer" buy. These beacons are already sold. Optics is old school.
... and think what you could signal in traditional copper network, if you could create a new kind of network underneath it. Why did the cern tests fail? Because there is already technology which play with the more #hidden# particles smaller than electrons. This communication is masqueraded with tradiotional communication which happens at the same time. So, you are reading donald duck, yeah? So, how this hidden stuff is then transformed back to a traditional communication, which could then be like a virus inside a network which it could not be noticed to travel?
Why not use a phototransistor sensor with circuit that synchronizes with the refresh rate of the screen. If you need color use three sensors each with a color filter. Not sore how well this would work with an LCD.
"Why not use a phototransistor sensor with circuit that synchronizes with the refresh rate of the screen"
In a word "sensitivity" you are better off using a photomultiplier as Markus Kuhn at Cambridge labs did. See the link to his paper in my above posting,
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.