Data Leakage Through Power Lines

The NSA has known about this for decades:

Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed.

By analysing the information leaking onto power circuits, the researchers could see what a target was typing.

The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances.

These days, there’s lots of open research on side channels.

Tags: key logging, privacy, side-channel attacks

Posted on July 15, 2009 at 6:17 AM • 43 Comments

Comments

Pete Hillier • July 15, 2009 6:43 AM

Hence the creation of TEMPEST standards!

uk visa • July 15, 2009 6:59 AM

General Dynamics knew about this, and protected facilities against it, in the early 80’s.
Whilst I’m sure they were being over careful they were protecting against eavesdropping satellites – slightly more than 15m!

StickyWidget • July 15, 2009 7:05 AM

Hehe. I wonder if I could reconfigure a sensitive enough SmartGrid meter to detect keystrokes.

Then, I could use one of those exploits that has been published to read credit card numbers without ever having to install software on a machine.

Scary AND Theoretically Possible!

~Sticky

Paul Renault • July 15, 2009 7:10 AM

So, wireless keyboards are the new secure standard?

Andrea Barisani • July 15, 2009 7:32 AM

Yes, we of course suspected and advertise that people like the NSA would know this already.

We mention this during our presentation, we also add “consider what a dedicated team or government agency can
accomplish with more expensive equipment and effort” :).

We think it’s important to bring this awareness out to the public, along with our need to do interesting public (and fun) research.

windexh8er • July 15, 2009 7:43 AM

Meh — When I worked for a large gov’t contractor we had TEMPEST classes that taught this. I always found it ironic that the class was located in a conference room which was all glass windows. Considering the classes were confidential it was highly ironic that the TEMPEST courseware could be picked off via simple demodulation of a laser pointed at the window.

So this is nothing new (as originally stated), but think it’s interesting the BBC is running scare tactic articles like this. Maybe the Euros just figured it out recently? 🙂

will • July 15, 2009 7:55 AM

spycatcher included details of determining cipher key settings by ‘overhearing’ the noise generated on adjacent phone lines, from the 50/60s

Alex • July 15, 2009 7:57 AM

This has been also known by Russian security services. Recent “Personal data protection” law is heavily concentrated on this topic. Basically every personal data operator has to comply to the specific TEMPEST requirements.

Unix Ronin • July 15, 2009 7:57 AM

What I want to know is why we haven’t switched to optical interconnect cables yet. Component-stereo CD changers have had digital-optical outputs for ten years now, and the home audio industry is hardly known for leading the field in interconnect technology. Mice, keyboards — heck, ALL HIDs — monitors, external disks, even powered computer speakers: they could all EASILY use optical-fiber data connections. Many devices would still need power, of course, but the low levels of power required by devices that don’t already have their own separate power supply could be carried on a braid layer around the fiber. Most speeds of what we’re still calling Ethernet can already run over fiber. There’s no technical reason why we should be using copper cables any more for anything except supplying power. Even telephony runs over copper only because telephones have historically been line-powered devices and the installed base is too huge to easily change. Make sure cases are properly shielded and power supplies back-filtered to prevent feeding RFI back into their own power lines, and we could probably virtually eliminate RFI emissions from computers except for the display — and as a bonus, it would reduce their susceptibility to RFI and crosstalk. (Even with magnetically-shielded computer speakers, I’ve had crosstalk issues when a monitor cable passes just too close to a powerful speaker.)

Reason says it ought to be possible to RFI-shield flat-panel displays too. (Perhaps a transparent conductive coating on one of the face layers?)

Clive Robinson • July 15, 2009 8:08 AM

Actually with wired keypads there are two issues at point

1, The rising edges of data signals.

2, The current drawn by the CPU or other logic when the keyboard is scaned.

Both of these radiate different types of information.

And normaly both are fairly easy to solve without having to resort to shielding (which is expensive at the best of times)

As far as EmSec is concered the real reason for shielding is infact the oposit to that you would think.

There is a method where by you can “illuminate” a cable with an appropriate RF signal. As the logic switches it changes the effective line impedance of he cable.

This switching change remodulates the rf signal (both phase and amplitude) and this can be picked up quite easily with an apropriate IQ receiver with a DSP backend.

It is by no means rocket science.

I was using a similar technique on “electronic purses” back in the 1980’s to read what their chips where doing with second hand kit available to radio amatures. So it’s not to difficult to “roll your own”.

The real issue is of course red/green trafic in tha vacinity to powerfull radio transmitters inadvertantly “piggie backing” traffic out to the world.

Oh by the way it has been shown that certain radio devices such as mobile phones do this as well.

The next problem is near / far field transition of signals in this area wher the current in the conductor becomes a plane wave. The mathmatics of the two near field zones are both complex and not particularly amenable to use in real world analysis (think big bucks CPU horse power).

Unfortunatly the near field area (aprox less than 3 wavelengths) can do some very very strange things. It has been known for very weak signals to be coupled to structural metals and cabeling and be transported imense distances (early cordless phones being picked up 20-30Km from the source which is supposed to have an effective maximum range of 0.2-0.3Km.

I could go on at length but you could try searching for hijack and “Tempest in a teapot” and removing the littery and religeous refrences.

guly • July 15, 2009 8:09 AM

@Paul Renault: google for Keykeriki

kashmarek • July 15, 2009 9:25 AM

Possible for a single computer single keyboard single outlet? How about a building full of computers (100s), where dozens of them are on the same wiring run, and that leads back to switching gear for power failover? Or laptops connected to an outlet but through their power brick? And standalone workstations connected through a battery backup device. And with many different keyboards, how do they tell which key is being pressed (keys can be remapped). Security theater here.

Alex • July 15, 2009 9:46 AM

This is easily circumvented by cutting/pasting passwords from Password Safe. In fact, even the password generation process is just one (or more) clicks so one would never type the password… ever. So there is nothing to capture on that side channel except Ctrl-V…

will • July 15, 2009 9:54 AM

@Alex

except to record the ‘noise’ radiating from your display and being able to recreate the screen contents from that.

Google tempest.

RvnPhnx • July 15, 2009 10:09 AM

@Unix Ronin
You are aware that glass fibers are a lot more expensive, a lot less flexible, a lot harder to splice, and a lot more fragile, are you not?
The real question is: Are we likely to see this exploited in most settings? The answer is no.
In theory it would probably be a lot cheaper for each keyboard to use SSL/TLS or something like that than to use fiber connections, but I can’t see anybody bothering.
Besides, the power supply noise from most machines drowns out by far any RF signals that escape most keyboards.

Jason • July 15, 2009 10:23 AM

@will

PasswordSafe can be used without ever showing the password in plain-text.

It can generate new passwords showing only asterisks and you can copy the password without ever seeing it.

It would defeat Tempest if used properly.

RH • July 15, 2009 10:49 AM

@kashmarek: If I remember the declassified TEMPEST document I found a while back (or was it posted here?), your sugestion of bundling many computers onto the same power line is actually one of their recommendations to minimze risk!

mojo • July 15, 2009 11:59 AM

It would not be difficult to use encryption on the link. AVR microcontrollers already have good implementations of AES and other security related stuff for wireless links, which could be used over a wired connection.

Johan • July 15, 2009 12:44 PM

Amazing!!!!

prophylactic • July 15, 2009 1:01 PM

Hmm . . . so I should repurpose my tinfoil hat, and wrap my keyboard cable instead? 🙂

Carl "SAI" Mitchell • July 15, 2009 1:29 PM

PasswordSafe/KeePass/etc don’t defeat TEMPEST. Sure, the individual passwords are safe, but the master password can still be sniffed when you type it in, thus giving access to all other passwords.

bob • July 15, 2009 2:00 PM

@ronin

You can’t send power over an optical cable, which isn’t an issue for most audio or video gear. However, it means all the keyboard, mice, etc. must be battery powered. Since most PCs are used in business, think how many tech support staff they’d have to add just to walk around replacing batteries.

John • July 15, 2009 2:16 PM

@bob
You can’t send power over an optical cable.

Sorry, I can’t resist. Yes, you can send power over an optical cable. You just to use a really powerful light source.

“Caution! Do not look into laser with remaining eye”

Kermit the Bog • July 15, 2009 9:13 PM

Clive Robinson: “I could go on at length but you could try searching for hijack and “Tempest in a teapot” and removing the littery and religeous refrences.”

I assume you meant literary rather than littery. These are usually quite different things – unless it was a trashy novel of course.

Sorry, couldn’t resist…

Clive Robinson • July 15, 2009 11:03 PM

@ Kermit the Bog,

“Sorry, couldn’t resist…”

No need, a little levity makes a day pass more lightly, all the more so for it’s unintended originator.

The contract is nearly up on this mobile phone (22days and counting) so I’m going to look for one with a spell checker built in.

The sad thing is for all it’s quirks (and now failings of controls) the original reason I decided on it still holds good (the browser is realy on the suppliers servers).

Clive Robinson • July 16, 2009 11:03 AM

@ RH, kashmarek,

“If I remember the declassified TEMPEST document I found a while back (or was it posted here?)”

This would be atleast 25years old and released only because it was compleatly and uterly redundant except out of historical interest.

“your sugestion of bundling many computers onto the same power line is actually one of their recommendations to minimze risk!”

Would have been ok advice before the advent of single chip DSP systems (like the TMS range). After that the gloves came off and VLF charecteristics of single machines could be picked out from that of others around them.

And in the mid 90’s a UK firm worked out how to rework FFT’s more efficiently such that they became “realtime” and continuous. This enabled the HF charecteristics to be used along with active antenna techneiques for numerous (Greater than 128) machines in a small area (about school gym hall size).

We now have cutting edge comercial development systems that work upto the low microwave regions so with the right backen processing you can now “see the wood for the trees” as though each tree was alone on a hilltop.

It would be interesting to know who’s ahead of the game these days the Mil NSA/GCHQ/etc or the comercial sector and academia.

My money would tend to the latter these days…

Mark Jaquith • July 16, 2009 8:19 PM

Who still uses PS/2 keyboards? Hasn’t everyone moved to USB?

prophylactic • July 16, 2009 9:46 PM

@Mark Jaquith
Some of us prefer a split and “clicky” keyboard, like the Lexmark M13.
http://www.tifaq.org/keyboards/historical-keyboards.html#kb-lexmark

Thus my tinfoil inquiry.

Bruce Clement • July 17, 2009 3:50 AM

Surely this can be defeated by using a laptop and running it on battery whenever we want to type anything we don’t want seen … on the other hand I’m sure those things lack any meaningful shielding and their RF emissions can be picked up by “more normal” tempest methods.

@Clive Robinson
As long as they have one technique the people don’t, the spooks and the military are ahead as they can simply buy all the civilian technology they want, apply their secret techniques on top and lead … much like the (disputed) Lenin quote “The capitalists will sell us the rope with which we will hang them.”

Philippe • July 17, 2009 9:11 AM

Would a UPS also defeat this attack?

Mike • July 17, 2009 1:25 PM

Time to start using shielded, balanced RS-422 lines for keyboards instead of unbalanced lines.

Krunch • July 17, 2009 3:32 PM

I prefer the way they sniff keystrokes by measuring laptop lid vibration. Can’t find a proper paper about that but they did at least one presentation on this and it seems to work pretty well.

http://www.itpro.co.uk/610741/laser-pens-can-hack-your-computer

Clive Robinson • July 17, 2009 3:44 PM

@ Bruce Clement,

“on the other hand I’m sure those things lack any meaningful shielding and their RF emissions can be picked up by “more normal” tempest methods.”

Most laptops almost totaly lack effective shielding, they tend to try “spread spectrum” modulation of the master clock to fit inside the EMC mask.

The spreading code is very usually trivial and very well known to industry insiders. Even if it was not it would actually take very little time with an IQ receiver next to the same model to find out what it is.

And as I have noted befor this actually makes a “TEMPEST” attack much much easier. The radiated energy is obviously still there but just spread across a larger bandwidth so less energy per unit of bandwidth (to get inside those all important EMC masks).

Now obviously if you know the spreding sequence and you despread the signals then you get back the original quite high energy per unit of bandwidth (which would not have fit inside the EMC mask). I have seen some that have a 20dB difference which roughly gives you ten times the range.

However as an unexpected bonus, it also reduces by the same spread factor any other signals which obviously gives you quite a bit extra signal to noise advantage…

Also as the spreading codes are almost always simple linear feed back shift registers you can play around with filter masks around the spread signal to ge a few extra dB of margin.

With regards,

“As long as they have one technique the people don’t, the spooks and the military are ahead as they can simply buy all the civilian technology they want, apply their secret techniques on top and lead”

You have forgoton two things,

1, Government procurment times

2, technology development times.

Once upon an age ago (back when I wore short trousers) tech times where considerably greater than procurment times.

Now however technology development times appear faster than Moore’s Law whilst procurment actually takes way way longer (more than ten years is not unknown).

The net result is that by the time the glacial speed of Gov Proc has got to the point of equipment delivery in most cases the technology they have bought is 3 to 4 generations out of date (if it’s even still available).

Also the “spooks” actualy are not at all inovative they used to be supported by “industry friends” but the joy of the free market Regan & Thatcher espoused killed off the lucrative deals that defence contractors used to have and with it went exclusivity. Also anybody with half a brain realised there was more money to be made on the open market…

Clive Robinson • July 18, 2009 6:19 AM

@ Bruce Schneier,

“These days, there’s lots of open research on side channels”

@ Bruce Clement,

“As long as they have one technique the people don’t, the spooks and the military are ahead”

There is something you both, and by the looks of it hunting around all the publicly available material most others have not realised.

EmSec or TEMPEST as was has a deep and dirty secret which has been kept quite for so long that I’m realy surprised it has not seen the light of day.

However some people have inadvertantly stumbled on it doing research but it has not twigged with them it is a general not speciffic case.

It’s sufficiently out in the public domain now so it can be more formaly put.

Most people who care to think about it are aware that TEMPEST is partly about energy and bandwidth.

The general assumption is however it is to do with energy emmited from the “secure” equipment. Less generaly that it is also to do with the suseptability of the “secure” equipment.

What nobody has seemed to twig onto is that there are two ends to the shannon channel and what applies to the “secure” equipment also applies to the “monitoring” equipment.

This should be blatently obvious from the 1970’s TV detector vans but obviously not.

Also from radar both on axsis and off axsis systems.

Likewise it should be blatently obvious due to “red eye” in photographs and from the “CCTV” detectors.

Likewise anybody who is familiar with TDR equipment for bug hunting and fault finding in transmission systems.

Likewise those doing research in spoting cameras and jaming them should have realised it.

I don’t know if they have but not said anything (saying it up for their next paper etc) but it applies to all types of “monitoring” equipment.

Put simplisticaly you have an energy source a transmission channel and a terminating device or load.

Due to the fact that very rarely do the charecteristic impeadences of the source and load match the channel energy remains in the channel bouncing around losing some of it’s energy on each reflection.

In a compleatly enclosed and fault free channel such as a coax transmission line there is usually only a single source and a single load and any energy that is not aborbed by one get relflected to the other and as the channel is effectivly constant standing waves build up.

However nothing in life is perfect so all transmission lines have minor imperfections or faults. There are test instruments (TDR) that send a very short duration pulse of energy out (just like a radar) and display a reflection trace on an osciloscope trace (you can make your own TDR with an avalanch transistor or diode, a high voltage current source and a short length of coax and a protection cct all mounted on the input channel of a high frequency oscilloscope).

The UK investigative journo Duncan Cambel (Report on ECHELON to EU Commision etc) actually took this idea and used it to check for bugs on his telephone line. When UK security services raided his work place on trumped up Oficial Secrets act charges they found his device and took it away and after investigation gave the idea as a gift to one of it’s “favourd” companies (later part of GEC Plessey). As far as I am aware to this day they have never paid him a penny for his invention.

However back to the deep and dirty dark TEMPEST secret…

Exactly the same principle can be used to detect any and all TEMPEST “monitoring” equipment. Usually more easily than it is to actually pick up the emenations from the “secure” equipment.

You can actually buy for modest amounts of money EMC test equipment for Open Air Test Sites (OATS) and TemCells that with only minor modifications will pick up the bounced energy from TEMPEST “monitoring” equipment.

The hard part is making it sufficiently directional to give you both a direction and range, but that can be done with DSP fairly easily these days and multiple space diversity antennas etc.

So the secret is you can watch the watchers, and usually this knowledge is of a lot more use to the defenders than it is to the attackers…

peri • July 18, 2009 7:05 PM

@Clive Robinson

I knew you would be posting something interesting here. After I read your comment I found myself with some questions.

Can TEMPEST style monitoring be done effectively from a satellite?

If it is possible, do you felt confident you could spot TEMPEST style monitoring equipment in a satellite?

neill • July 18, 2009 9:39 PM

got 3 running computers here (at least) next to each other, some are ‘open case / experimental’

wonder if one could get any usable radio signal from me since there’s so much interferrence anyways

Clive Robinson • July 19, 2009 2:46 AM

@ neill,

“wonder if one could get any usable radio signal from me since there’s so much interferrence anyways”

Your’s is one of those generalised questions that has an both a positive and negative answer due to many things so please hang in for what is the “quick and dirty answer”, which unfortunatly is very long for a blog, as I’m not sure of the technical level of the overall audiance.

The answer is dependent on a number of factors the major ones for EmSec / TEMPEST being,

1, Effective radiation range of signal.
2, Signal cohearance.
3, Noise sources.
4, Information bandwidth.

The effective radiation range of a signal is effected by many things the first being “free space radiation”.

As with the light from your car headlights you have a “signal source” (hot wire in the bulb) and the further away you are the less usefull the “signal” (light) is as it’s “wave front” is spread out over a greater and greater area, and at some point it will be either to weak for your unaided eyes or below the level of other light sources around you, so you will not be able to perceive it unaided.

Also there is a theoretical limit below which it is not possible to measure the signal due to “thermal noise” from other objects.

So you have a number of range limitations which are dependent on many factors.

However these range limitations are also based on the effective “capture area” of the receiver to the wave front of the signal source usually this is via “antenna gain”.

As you may know the larger the area of a telescopes primary optic to it’s final optic the more effective range it has, due to the optical “gain”.

It is the same with radio waves a large antenna can focus more of the energy from the surface area of the “wave front” to the input of the receiver.

There is a further issue of if the signal is realy in free space or constrained to a “transmission line” that prevents the signals energy becoming either dispersed or “decoherant” (effectivly interfering with it’s self).

In the case of the car headlight if you put it in a long tube with highly reflective surfaces then the light wave front could not spread out further than the cross sectional area (CSA) of the tube.

These tubes are known as “light pipes”. However due to the very large CSA of the tube compared to the wave length of the light the signal interferes with it’s self and loses cohearance. This can be reduced by using very narrow light pipes which is one of the main reasons why fiber optic cables used for carrying data signals are as thin or thinner than human hair.

With regards radio energy it can be trapped by the surface of a metal conductor (think about the construction of coax leads used for TV antennas and video signals) however as metal is a considerably better conductor than free space radio signals will apear to stick to a conductor and follow it, and like a fast moving car it can only stay “on the road” as long as the corners are not to sharp, which gives rise to the single conductor transmission line known as the G-Wire.

The G-Wire has practical significance to TEMPEST range.

You may know that overhead power cables are known to conduct radio signals very great distances with little loss and have been known to carry signals over many times their free space range which is why motorists sometimes discover their local radio station being interfeared with by a signal from a distant local radio station.

Other examples for instance, are overhead power cables, overhead telephone cables and even farm fences that have been known to capture cordless phone conversations and coduct them ten or a hundred times their effective operating range. The signal can even “couple” (jump) from one conductor to another if their share a volume of space that allows it.

Effectivly one way to imagine it is like a 1:1 transformer (magnetic or H field coupling) another way the two plates of a capacitor (E field coupling). Thankfully the predomanant H field coupling has an inverse cubic relationship (ie volume related) and the E field coupling an inverse square law relationship (ie surface area related). However which is of greater concern in any given situation is due to the “efective shape and distance” of the conductors. In ordinary everyday use peole used to experiance this effect on telephone cables where they could faintly hear other peoples conversations which is why it is often called “cross talk”.

These effects apply to ANY and ALL conductors including the ground, plants and wood (due to the moisture they hold), they can all carry very weak signals many times their expected free space range. Structural metal work and internal wiring for lights and power are particular TEMPEST worries as they can carry signals out of a building or area unnoticably as they are effectivly hidden (it’s one of the reasons TEMPEST proofing a building is so inordinatly expensive as you literaly have to check everything) and due to weather etc you have to check several times at different times of the year.

Further conductors can act like lenses and focus a signal back just like the optics in a telescope. Of particlar worry to TEMPEST is what are effectivly “slot radiators” and “frame antennas”.

That is a split in a shielded enclosure like the edge of a door can be an incredably efficient radiator of a signal (it is one of the reasons why microwave oven doors have a very peculiar design and are thus usually just under an inch thick at the edges).

Back in the days of the “cold war” it was noticed that reception of long range signals being monitored went up dramaticaly for a distinct period. It was found to be coicident to an anuall fair and it was realised that the frame of the ferris wheel atraction (seen in the film the “third man”) was responsable which was the reason it became a fixed feature.

However there is also the issue of interferance and it’s effects on TEMPEST activities. Put simply there are well established ways to “null it out” by using multiple directional antennas (works just like the “very long baseline” VLB radio telescopes) and more recently IQ receivers and baseband DSP filtering, estimating and averaging techneiques.

Put simply the techneiques can view a “tree trunk in the middle of a wood from the paddock” with little difficulty.

With computers what actually aids this is Electro Magnettic Compatability masks…

Manufactures who where not quite making the masks realised they could use “whitening” spread spectrum techniques to spread the energy of their interfering signals across a large bandwidth.

Ufortunatly it does not make the energy go away it just spreads it with a simple linear code, which means it can just as easily be despread and the energy recovered. Having had to use whitening to just get inside the mask some manufactures have realised that it is effectivly “a cure all” for EMC ills, and has enable them to remove expensive filtering components simply by increasing the spreading rate. Which means that it is a gift from heaven for those carrying out TEMPEST attacks as the spreading margin can be as high as 100:1, when compared to the effect that despreading actually spreads interferance out the real effect for TEMPEST can be an advantage of 10,000:1…

So do not regard interferance as being of benifit it realy is not.

Clive Robinson • July 19, 2009 8:43 AM

@ peri,

Sorry for the delay, Sunday is one of the days where I cook the “Sunday Lunch” and I prefere the traditional roast which takes up most of the late morning early afternoon.

You had a couple of questions,

1) “Can TEMPEST style monitoring be done effectively from a satellite?”

Depends on what type of monitoring, of very low level emissions at low frequency no. Side channels on a strong emission such as red/green traffic getting via powersupplies etc onto the output of a marine transmitter or army radio etc yes.

2) “If it is possible, do you felt confident you could spot TEMPEST style monitoring equipment in a satellite?”

The answer to that is a little difficult to say.

If you are asking me is it possible to illuminate a satellite from earth or another satellite, the answer is obviously yes as radar is used to check their position as is lidar and other radio and optical instrumentation etc.

Will the reflection from an illumination of a satellite alow you to work out which frequency band it is using then the answer is very probably yes (as with nearly all receivers) the question is will the return (echo if you will) be strong enough to pick up on earth the answer is a possible maybe depending on what type of protection circuits are used and where in the receiver line up they are (even a passive allpass filter lets some information leak as do circulators etc).

Then the question is who else uses that radio frequency range and where…

On earth you can have a high degree of confidence in the fact that it is TEMPEST monitoring or ElInt simply because of the location of the equipment and other field craft type intel.

With a satellite the situation is markedly different.

To be usefull a satellite needs to send information in near real time for analysis. Which means that it will be emitting a signal sufficiently strong to be picked up on earth or another satellite (spread spectrum and other techniques such as burst mode help hide the emmision but it’s detectable).

Also with a satellite everybody who cares enough to know can usually find out in a reasonable period that it’s there. That is stealth technology is not realy going to hide it and the launch is almost certainly going to have been monitored and recorded by ground and space based instrumentation. And amature astronomers often spot satellites in low earth orbit simply by the fact they either reflect or block light from other “heavenly bodies”.

And you also need to remember that some analysts can work out it’s function from monitoring what ground it covers and all maner of information that is also difficult to hide like changes in orbital parameters.

So with a satallite it is not usually worth trying to find out more about it with regards to TEMPEST or EmSec.

peri • July 19, 2009 11:28 AM

@Clive Robinson

No need to apologize. Thanks for taking the time to post such an interesting response.

I was aware satellites are tracked with both radar and optically. I have seen them with my own naked eye and I remember people tracking satellites a few years back with just a good pair of binoculars around dawn and dusk.

I was just intrigued by your post on TEMPEST’s dirty secret and my question was about detecting the presence and capability of TEMPEST monitoring equipment aboard a satellite.

neill • July 19, 2009 3:08 PM

@clive

thanks for the insight into radio&physics!

i know that there’s the directional aspect when you got several antennas next to each other, where you can (thru timing) ‘direct’ the EM beam whereever you want it to go – but i think that would require the exact same frequency and timing delays withing a few ps

the difference in timing/quality between several motherboards and PLL circuits makes that difficult, i hope, also the energies are very low (eg PCIe with 1.2V at 2.5GHz), or even encrypted (HDMI), so the biggest risk are the USB keyboards – there are shielded USB2 ones

also a lot of the newer/faster I/O standards use low voltage differential signaling (GBEth,SATA) that is supposed to minimise ‘incomeing’ interferrence – and hopefully ‘outgoing’ as well

maybe we ought to get our trusted ‘chain mail’ out of the closet and wrap it around the computers!

Clive Robinson • July 20, 2009 7:29 AM

@ neill,

“”

That’s alright.

The problem with

“i hope, also the energies are very low (eg PCIe with 1.2V at 2.5GHz)”

Is the low voltage of the supply belies the actuall energy in the circuit.

At 2.5GHz the freespace wavelength is 12-13cm and depending on the PCB (FR4, RT Duroid etc) may be getting down to half that. Which is easily comparable with the PCB track lengths so it realy does radiate rather well if proper transmission line techniques have not been taken into account during layout.

Often the quality of a PC Motherboard is difficult to see as the PCB can be more critical to the design than the components used.

Also the case can be an oddity sometimes it radiates less with the outer case off that it does with it on (slot radiator problem).

EMC/TEMPEST proofing realy is a difficult problem above low VHF and neigh on impossible to do cost effectivly above the high UHF/low microwave bands.

To design a suitable case that is good from ELF to mid microwave (kind of old style DC to Daylight 😉 is not just difficult it is very expensive and to be honest you’ld be best at looking at a blade type solution to spread the cost across as many users as possible.

The last “secure box” I built for some one it was cheaper to actually build it inside a low cost safe and “filter & fringe” than it would have been to design or procure a suitable case…

The economies of COTS can be found in some strange places.

Richard Harris • July 20, 2009 9:09 AM

@ Clive,
I’ve enjoyed reading you responses to questions. I’ve got a question that is a little of topic; however, it deals with transmitting energy.

Nikola Tesla is reported to have developed a vehicle that was powered by the energy(Waves, radiation, etc) in the air. Are you aware of this developement and what are you’re thoughts on the possibilities/probability of such a creation.

Link:http://keelynet.com/energy/teslafe1.htm

Richard

blah • September 17, 2009 6:56 AM

If data leaks through power lines, would having solar panels/power solve this problem?

Or maybe we would have to have solar charge large batteries and d/c the entire power line from our house.

Its just another good reason we should all use solar if i am right.

This is very interesting actually..

Also many keyloggers do not log alt codes..
Can TEMPEST attacks recover alt codes?

Is the use of a few alt codes randomly in a password provide any protection from this form of attack?

Also I dont know whats happening in USA but in Australia the Government is planning a pretty awesome $40 billion broadband upgrade that will use Fibre Optic. Fibre to the home or whatever it is.

I heard fibre optic isnt susceptible to TEMPEST attack..Is this true?

So if I had no phone line, and got electricity from solar and internet from fibre optic. This would reduce TEMPEST attacks on the power line and phone line to pretty much zero correct?

If anyone knows what impact this would have on TEMPEST attacks please let me know.

All you would need then is for industry to make all keyboard and screens ANTI- TEMPEST…

And possible other stuff I havent thought about…

Anyway people im researching into this field trying to think of ways to protect home users with both anti tempest software and looking for ideas on how to protect from it in other ways.

I fear that this technology will become more prevalent as hackers learn to make powerful TEMPEST monitoring devices themselves and begin actively using them. Please anyone reply to this with comments ideas etc…
If data leaks through power lines, would having solar panels/power solve this problem?