Skip to main content

Electromagnetic eavesdropping is cheap & easy - so why doesn't anyone believe it exists?

Below, I've included what would have been the first post in a series of posts I wrote about the badBIOS controversy in October 2013. I found the evidence in support of badBIOS to be unconvincing and I was concerned by how popular badBIOS became despite those obvious shortcomings. This wasn't a situation where an overexcitable press ran with a story that turned out to be inaccurate; the most early and adamant believers in badBIOS weren't reporters, they were ITSEC professionals. How were so many of us publicly duped by what was essentially a conspiracy theory?

This post doesn't address badBIOS directly. However, badBIOS was presumed to somehow involve the manipulation of computers using acoustic transmissions. This post provides some historical context behind a strain of computer science research in this field and shows how commonly held beliefs about the feasibility of these attacks were generally inaccurate at the time of writing. In future posts I would have explored how these misunderstandings could have made it more likely for members of the community to distrust early criticism of badBIOS

Electronic surveillance relying on electromagnetism, radio and acoustics have been widely understood for over 60 years. Why do some in the IT security community dismiss such techniques as "equivalent of a Bigfoot sighting [sic]"  while others are convinced such techniques are widely used and highly aggressive?

A brief, bad history of emissions security exploitation (and why it's cheaper than you think)

In 1985, a Dutch researcher named Wim van Eck published a proof of concept for a simple and inexpensive system that could reproduce the visual data of a remote video display unit (Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? PTT Dr. Neher Laboratories, St. Paulusstroat 4. 2264 XZ Leidschendam, The Netherlands. Download PDF from Cryptome.) Using this method, it became trivial to retrieve visual information from, for example, computer monitors using only a standard television receiver. Using a directional antennae and amplifier, van Eck's method proved effective at several hundred meters.

Many incorrectly believe that van Eck essentially created the technique of remote receiver surveillance. As van Eck explains:
"It is possible in some cases to obtain information on the signals used inside the equipment when the radiation is picked up and the received signals are decoded. [...] This problems is not a new one; defense specialists have been aware of it for over 20 years.
Despite the understanding that such techniques were possible, the van Eck paper still proved to be somewhat of a bomb thrown into the security industry. Van Eck again explains why:
"Until recently it was considered very difficult to reconstruct the data hidden in the radiated field, and it was therefore believed that eavesdropping on digital equipment could only be performed by professionals with access to very sophisticated detection and decoding equipment. As a result, digital equipment for processing information requiring medium or low level protection, such as private or business information, is not protected against eavesdropping of this kind.
Consequently, when, for example, Markus G. Kuhn of Cambridge University claimed in his (equally ground-breaking) 2004 paper Electromagnetic Eavesdroping Risks of Flat-Panel Displays that "Electromagnetic eavesdropping of computer displays [was] first demonstrated to the general public by van Eck in 1985" we are forced to correct his assertion by maintaining that van Eck was the first to demonstrate cheap and widely available electromagnetic eavesdropping of computer displays to the general public. Those suspicious of my assertion here are welcome to consider R.L. Dennis' August 1966 paper, "Security and Privacy in Computer Systems", a brief summary of which is provided in a text-book of the same title from 1973 edited by Lance Hoffman

"Passive infiltration may be accomplished by wiretapping or by electromagnetic pickup of the traffic at any point in the system.  Although considerable effort has been applied to counter such threats to defense communications, nongovernmental approaches to information privacy usually assume that communication lines are secure, when in fact they are one of the most vulnerable parts of the system. [p. 77]"
"In addition to the spectrum of threats arising from wiretapping, electromagnetic radiation from terminals must be considered.[12]  Electromagnetic radiation characteristics will depend heavily on the type of terminal, and may in some cases pose serious shielding and electrical-filtering problems.  More advanced terminals using cathode ray tube for information display may create even greater problems in trying to prevent what has been called 'tuning in the terminal on Channel 4.' [p. 84]" 
Note that review of unclassified documents concerning these techniques, as well as cryptography, must be considered with the regulatory burden on the period. Until very recently, those attempting to publicize cryptography and penetration testing techniques regularly found themselves running afoul of the US Federal Government. As late as 1999 Federal prosecutors sough a conviction against Israeli citizen Shalom Shaphyr for the alleged transport of TEMPEST equipment to a foreign country. Incredibly, but perhaps not surprising to readers now familiar with modern anti-terrorism arrest techniques, Shaphyr was not caught with equipment - he was sold the equipment by an FBI agent as part of a sting operation. For a brief survey of the dangers that security innovators ran in the 1990's, please see my own "Is Encryption Becoming Illegal Again?"

For at least as long as techniques for video display unit reproduction have existed, the US military has invested in countermeasures to foil those techniques. It was as early as the mid-1950's that the US established the Transient Electromagnetic Pulse Emanation Standard with the publication of NAG-1A, in the earliest attempt to shield military and diplomatic communication from electromagnetic eavesdropping. The standard, and the research projects supporting the standard, would collectively become known as TEMPEST. The Cold War would spawn a series of innovations in both surveillance and countermeasures of this kind. Unfortunately, a great deal of that history remains highly contested, classified and often both. One milestone that can provide readers with an idea of just how long this technology has been in practical usage was Operation Rafter, in which British intelligence agents located KGB agent radio transceivers using radiation from oscillators - even when the radios were not transmitting.

A complete history of US TEMPEST research could easily fill a book, as such a history would necessarily cover over 60 years of research and innovation. The brief overview here is meant to help clarify a few important points about electromagnetic eavesdropping. 

Throughout the development of these surveillance techniques, attackers have sought and succeeded in using electromagnetic radiation to reproduce visual data, as retrieved from emanations from cathode ray tubes for example, as well as to reproduce non-visual data, as retrieved from the sounds of a teletype machine in operation. These early methods have been almost completely unaddressed in modern computer development. Keylogging from acoustic surveillance is not a technique limited to teletypes, as IBM employees Dmitri Asonov and Rakesh Agrawal demonstrated in their 2004 paper Keyboard Acoustic Emanations (non-acoustic typing behavior - so-called typing dynamics - is increasingly used as a biometric identifier and monitoring of this behavior has long been a default setting for Windows 10 devices).

More recently, in 2011 and again this year, it was demonstrated by researchers from Tel Aviv Univeristy and Weizmann Institute of Science (along with numerous other contributors) that there are a variety of surveillance techniques that can be used to reproduce CPU operations across an air gap in order to steal private keys from widely used encryption software. The most recent of the two Tel Aviv University attacks have accomplished something quite similar to what van Eck did decades ago: illustrating how this manner of surveillance can be accomplished on the cheap. The new attack requires a simple software-controlled radio dongle or commercial radio available for somewhere between $20-$50 (the 2011 attack monitored acoustics from the CPU rather than electromagnetism), something any hobbyist could afford.

The misunderstanding of the requirements of a successful EMG eavesdropping attack isn't limited to those outside the security field. When Joe Loughry of Lockheed Martin Space Systems and David A. Umphress of Auburn University published their seminal "Information Leakage from Optical Emanations", which as early as 2002 publicly exposed that NIC and router LED status lights could be used to determine data transferred over the relevant interface, they still felt it necessary to repeat the seemingly irreconcilable bungle that only some James Bond-esque group of super-powered spies could retrieve data using the methods previously outlined:
"Because of the high cost of equipment and the difficulty of intercepting and exploiting RF emanations, reports of successful attacks against emanations have been limited primarily to high-value sources of information such as military targets and cryptologic systems."

This isn't to say that there are not serious practical difficulties with this approach: there are. Electromagnetic radiation exists on a spectrum that includes frequencies with very different types of behavior: X-Rays can go through things, while visible light typically can't. Both are "electromagnetic radiation". Typically, though, PC's don't express X-rays. Furthermore, data centers and similar facilities tend not to have windows. Furthermore, it is unclear how many of these types of attacks could translate to a virtualized environment. This isn't a problem that should keep people in charge of IT resources up at night. But it is worth noting that the reason these attacks are rare is likely the result of these practical limitations, not the general unavailability of the attack vector itself.