[go: up one dir, main page]
Wikipedia

Van Eck phreaking: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Morlark (talk | contribs)
70 edits
mNo edit summary
compound modifier. use acro def. avoid unnec redirect.
 
(48 intermediate revisions by 34 users not shown)
Line 1:
{{short description|Form of eavesdropping}}
'''Van Eck phreaking''' is a form of eavesdropping in which special equipment is used to pick up [[Side-channel attack|side-band electromagnetic emissions]] from electronics devices that correlate to hidden signals or data for the purpose of recreating these signals or data in order to spy on the electronic device. Side-band electromagnetic radiation emissions are present in and, with the proper equipment, can be captured from keyboards, computer displays, printers, and other electronic devices.
 
'''Van Eck phreaking''', also known as '''Van Eck radiation''', is a form of [[network eavesdropping]] in which special equipment is used for a [[side-channel attack]] on the [[electromagnetic emission]]s of electronic devices. While electromagnetic emissions are present in keyboards, printers, and other electronic devices, the most notable use of Van Eck phreaking is in reproducing the contents of a [[cathode-ray tube]] (CRT) display at a distance.
In 1985, [[Wim van Eck]] published the first unclassified technical analysis of the security risks of emanations from [[computer monitor]]s. This paper caused some consternation in the security community, which had previously believed that such monitoring was a highly sophisticated attack available only to [[governments]]; van Eck successfully eavesdropped on a real system, at a range of hundreds of [[metre]]s, using just $15 worth of equipment plus a [[television]] set.
 
Information that drives a CRT [[video display]] takes the form of electrical signals in the [[radio frequency|RF]] range. The electric signal which drives the electron beam is amplified to up to around one hundred volts from [[Transistor–transistor logic|TTL]] circuitry. The signal leaks out from displays and may be captured by an antenna, and once [[Analogue television synchronization|synchronization pulses]] are recreated and mixed in, an ordinary analog television receiver can display the result. These emissions are correlated to the video image being displayed, so, in theory, they can be used to recover the displayed image.
As a consequence of this research, such emanations are sometimes called "van Eck radiation", and the eavesdropping technique van Eck phreaking. Government researchers were already aware of the danger, as [[Bell Labs]] had noted this vulnerability to secure [[teleprinter]] communications during [[World War II]] and was able to produce 75% of the plaintext being processed in a secure facility from a distance of 80 feet (24 metres).<ref>{{cite web |title=A History of U.S. Communications Security (Volumes I and II)"; David G. Boak Lectures |work=National Security Agency |year= 1973 |url= https://www.governmentattic.org/2docs/Hist_US_COMSEC_Boak_NSA_1973.pdf |page= 90}}</ref> Additionally the NSA published ''Tempest Fundamentals, NSA-82-89, NACSIM 5000, National Security Agency'' (Classified) on February 1, 1982. In addition, the van Eck technique was successfully demonstrated to non-TEMPEST personnel in [[Korea]] during the [[Korean War]] in the 1950s.
 
While the phenomenon had been known by the United States Government and [[Bell Labs]] as early as the Second World War, the process received its name after [[Wim van Eck]] published the first unclassified technical analysis of the security risks of emanations from [[computer monitor]]s in 1985. While [[phreaking]] is the process of exploiting [[telephone network]]s, it is used here because of its connection to eavesdropping.
While [[Phreaking]] is the process of exploiting [[telephone network]]s, it is used here because of its connection to eavesdropping. Van Eck phreaking of CRT displays is the process of [[eavesdropping]] on the contents of a [[Cathode ray tube|CRT]] by detecting its [[Electromagnetic radiation|electromagnetic]] [[Emission (electromagnetic radiation)|emissions]].
 
== History ==
 
As a consequence of this research, such emanations are sometimes called "van Eck radiation", and the eavesdropping technique van Eck phreaking. Government researchers were already aware of the danger, as [[Bell Labs]] had noted this vulnerability to secure [[teleprinter]] communications during [[World War II]] and was able to produce 75% of the plaintext being processed in a secure facility from a distance of 80 feet (24 metres).<ref>{{cite web |titlename=A History of U.S. Communications Security (Volumes I and II)"; David G. Boak" Lectures |work=National Security Agency |year= 1973 |url= https://www.governmentattic.org/2docs/Hist_US_COMSEC_Boak_NSA_1973.pdf |page= 90}}</ref> Additionally, the NSA published ''Tempest Fundamentals, NSA-82-89, NACSIM 5000, National Security Agency'' (Classified) on February 1, 1982. In additionAlso, the van Eck technique was successfully demonstrated to non-TEMPEST personnel in [[Korea]] during the [[Korean War]] in the 1950s.
 
In 1985, [[Wim van Eck]] published the first unclassified technical analysis of the security risks of emanations from [[computer monitor]]s.<ref name="Greenberg" /><ref name="emr" /> This paper caused some consternation in the security community, which had previously believed that such monitoring was a highly sophisticated attack available only to [[governments]]; van Eck successfully eavesdropped on a real system, at a range of hundreds of [[metre]]s, using just $15 worth of equipment plus a [[television]] set.
 
In the paper, Van Eck reports that in February 1985, a successful test of this concept was carried out with the cooperation of the [[BBC]]. Using a van filled with electronic equipment and equipped with a [[Very high frequency|VHF]] [[antenna array (electromagnetic)|antenna array]], they were able to eavesdrop from a "large distance". There is no evidence that the BBC's [[TV detector van]]s actually used this technology, although the BBC will not reveal whether or not they are a hoax.<ref name="Telegraph-2013-09-27>{{cite" news|last=Carter |first=Claire |url=https://www.telegraph.co.uk/culture/tvandradio/bbc/10340804/Myth-of-the-TV-detector-van.html |title=Myth of the TV detector van? |publisher=Telegraph Media Group |newspaper=The Daily Telegraph |date=27 September 2013 |accessdate=27 September 2015}}</ref>
 
Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of [[Tech TV]]'s ''[[The Screen Savers]]'' on December 18, 2003.<ref>[http:// name="g4tv.com/videos/8041/van-eck-phreaking" Van Eck Phreaking]</ref><ref>[https://www.youtube.com/watch?v name=ozl8_8wzEVI The "Screen Savers:" Dark Tip - Van Eck Phreaking]</ref>
 
== Basic principle ==
Information that drives the [[video display]] takes the form of [[high frequency]] electrical signals. These [[oscillating]] [[electric currents]] create [[electromagnetic radiation]] in the [[radio frequency|RF]] range. These [[radio]] [[radio waves|emission]]s are correlated to the [[video]] image being displayed, so, in theory, they can be used to recover the displayed image.
 
Information that drives the [[video display]] takes the form of [[high frequency|high-frequency]] electrical signals. TheseThe [[oscillating|oscillation]] of these [[electric currents]] create [[electromagnetic radiation]] in the [[radio frequency|RF]] range. These [[radio]] [[waves|radio waves|emission]]s are correlated to the [[video]] image being displayed, so, in theory, they can be used to recover the displayed image.
=== CRTs ===
In a [[Cathode ray tube|CRT]] the image is generated by an [[electron beam]] that sweeps back and forth across the [[Computer monitor|screen]]. The electron beam excites the [[phosphor]] coating on the glass and causes it to glow. The strength of the beam determines the brightness of individual [[pixel]]s (see [[Cathode ray tube|CRT]] for a detailed description). The electric signal which drives the electron beam is amplified to hundreds of volts from [[Transistor–transistor logic|TTL]] circuitry. This high frequency, high voltage signal creates electromagnetic radiation that has, according to Van Eck, "a remarkable resemblance to a broadcast TV signal".<ref name="emr">{{cite journal | author=Van Eck, Wim | title=Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? | journal=Computers & Security | volume=4 | issue=4 | year=1985 | pages=269–286 | url=http://www.tscm.com/vaneck85.pdf | doi=10.1016/0167-4048(85)90046-X | citeseerx=10.1.1.35.1695 }}</ref> The signal leaks out from displays and may be captured by an antenna, and once [[Analogue television synchronization|synchronization pulses]] are recreated and mixed in, an ordinary analog television receiver can display the result. The synchronization pulses can be recreated either through manual adjustment or by processing the signals emitted by [[electromagnetic coil]]s as they deflect the CRT's electron beam back and forth.<ref name="emr"/>
 
In a [[Cathode ray tube|CRT]], the image is generated by an [[electron beam]] that sweeps back and forth across the [[Computer monitor|screen]]. The electron beam excites the [[phosphor]] coating on the glass and causes it to glow. The strength of the beam determines the brightness of individual [[pixel]]s (see [[Cathode -ray tube|CRT]] for a detailed description). The electric signal whichthat drives the electron beam is amplified to hundredsup ofto around one hundred volts from [[Transistor–transistor logic|TTL]] circuitry. This high -frequency, high -voltage signal creates electromagnetic radiation that has, according to Van Eck, "a remarkable resemblance to a broadcast TV signal".<ref name="emr">{{cite journal | author=Van Eck, Wim | title=Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? | journal=Computers & Security | volume=4 | issue=4 | year=1985 | pages=269–286 | url=http://www.tscm.com/vaneck85.pdf | doi=10.1016/0167-4048(85)90046-X | citeseerx=10.1.1.35.1695 }}</ref> The signal leaks out from displays and may be captured by an antenna, and once [[Analogue television synchronization|synchronization pulses]] are recreated and mixed in, an ordinary analog television receiver can display the result. The synchronization pulses can be recreated either through manual adjustment or by processing the signals emitted by [[electromagnetic coil]]s as they deflect the CRT's electron beam back and forth.<ref name="emr" />
In the paper, Van Eck reports that in February 1985 a successful test of this concept was carried out with the cooperation of the [[BBC]]. Using a van filled with electronic equipment and equipped with a [[Very high frequency|VHF]] [[antenna array (electromagnetic)|antenna array]], they were able to eavesdrop from a "large distance". There is no evidence that the BBC's [[TV detector van]]s actually used this technology, although the BBC will not reveal whether or not they are a hoax.<ref name=Telegraph-2013-09-27>{{cite news|last=Carter |first=Claire |url=https://www.telegraph.co.uk/culture/tvandradio/bbc/10340804/Myth-of-the-TV-detector-van.html |title=Myth of the TV detector van? |publisher=Telegraph Media Group |newspaper=The Daily Telegraph |date=27 September 2013 |accessdate=27 September 2015}}</ref>
 
== Use as communication ==
Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of [[Tech TV]]'s [[The Screen Savers]] on December 18, 2003.<ref>[http://g4tv.com/videos/8041/van-eck-phreaking Van Eck Phreaking]</ref><ref>[https://www.youtube.com/watch?v=ozl8_8wzEVI The Screen Savers: Dark Tip - Van Eck Phreaking]</ref>
 
In January 2015, the Airhopper project from [[Georgia Institute of Technology]], United States demonstrated (at [[Ben Gurion University]] University, [[Israel]]) the use of Van Eck Phreaking to enable a keylogger to communicate, through video signal manipulation, keys pressed on the keyboard of a standard PC computer, to a program running on an [[Android (operating system)|Android]] cellphone with an [[earbud]] radio antenna.<ref>[https://www.yahoo.com/tech/s/air-gapped-computers-no-longer-183708658.html Air-gapped computers are no longer secure, name="TechRepublic," January 26, 2015]</ref><ref>[http://users.ece.gatech.edu/~az30/Downloads/Micro14.pdf Originalname="Airhopper" Whitepaper]</ref><ref>[https://www.youtube.com/watch?v name=3gtuEdflUA0 Airhopper "demonstration video," Ben Gurion University]</ref>
=== LCDs ===
In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000.<ref name=Kuhn2004>{{cite journal | author = Kuhn, M.G. | year = 2004 | title = Electromagnetic Eavesdropping Risks of Flat-Panel Displays | journal = 4th Workshop on Privacy Enhancing Technologies | pages = 23–25 | url = http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf }}</ref>
 
== Equipment ==
===Communicating using Van Eck phreaking===
In January 2015, the Airhopper project from [[Georgia Institute of Technology]], United States demonstrated (at [[Ben Gurion]] University, [[Israel]]) the use of Van Eck Phreaking to enable a keylogger to communicate, through video signal manipulation, keys pressed on the keyboard of a standard PC computer, to a program running on an [[Android (operating system)|Android]] cellphone with an [[earbud]] radio antenna.<ref>[https://www.yahoo.com/tech/s/air-gapped-computers-no-longer-183708658.html Air-gapped computers are no longer secure, TechRepublic, January 26, 2015]</ref><ref>[http://users.ece.gatech.edu/~az30/Downloads/Micro14.pdf Original Whitepaper]</ref><ref>[https://www.youtube.com/watch?v=3gtuEdflUA0 Airhopper demonstration video, Ben Gurion University]</ref>
 
A tailored access battery is a special laptop battery with Van Eck Phreaking electronics and power-side band encryption cracking electronics built- into its casing, in combination with a remote transmitter/receivertransceiver. This allows for quick installation and removal of a spying device by simply switchingswapping the battery.<ref>White paper, name="FDES" institute, 1996, page 12.</ref>
===Tailored access batteries===
 
== Potential Risksrisks ==
A tailored access battery is a special laptop battery with Van Eck Phreaking electronics and power-side band encryption cracking electronics built-into its casing, in combination with a remote transmitter/receiver. This allows for quick installation and removal of a spying device by simply switching the battery.<ref>White paper, FDES institute, 1996, page 12.</ref>
 
Van Eck phreaking might also be used to compromise the secrecy of the votes in an election using [[electronic voting]]. This caused the Dutch government to ban the use of NewVote [[computer]] [[voting machine]]s manufactured by SDU in the [[Dutch general election, 2006|2006 national elections]], under the belief that ballot information might not be kept secret.<ref>[http://www.iht.com/articles/ap/2006/10/30/europe/EU_GEN_Netherlands_Voting_Machines.php Dutch government scraps plans to use voting computers in 35 cities including Amsterdam (name="Herald tribune," 30. October 2006)]</ref><ref>[http://www.heise.de/english/newsticker/news/80302 Use of SDU voting computers banned during Dutch general elections] {{webarchive|urlname=https://web.archive.org/web/20080923142636/http://www."heise.de/english/newsticker/news/80302" |date=2008-09-23 }} (Heise, October 31. 2006)</ref> In a 2009 test of electronic voting systems in Brazil, Van Eck phreaking was used to successfully compromise ballot secrecy as a proof of concept.<ref>{{Cite web |urlname=http://yro."slashdot.org/story/09/11/22/027229/Brazilian-Breaks-Secrecy-of-Brazils-E-Voting-Machines-With-Van-Eck-Phreaking" |title=Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking |date=November 21, 2009 |work=Slashdot}}</ref>
==Potential Risks==
 
== Further Researchresearch ==
Van Eck phreaking might also be used to compromise the secrecy of the votes in an election using [[electronic voting]]. This caused the Dutch government to ban the use of NewVote [[computer]] [[voting machine]]s manufactured by SDU in the [[Dutch general election, 2006|2006 national elections]], under the belief that ballot information might not be kept secret.<ref>[http://www.iht.com/articles/ap/2006/10/30/europe/EU_GEN_Netherlands_Voting_Machines.php Dutch government scraps plans to use voting computers in 35 cities including Amsterdam (Herald tribune, 30. October 2006)]</ref><ref>[http://www.heise.de/english/newsticker/news/80302 Use of SDU voting computers banned during Dutch general elections] {{webarchive|url=https://web.archive.org/web/20080923142636/http://www.heise.de/english/newsticker/news/80302 |date=2008-09-23 }} (Heise, October 31. 2006)</ref> In a 2009 test of electronic voting systems in Brazil, Van Eck phreaking was used to successfully compromise ballot secrecy as a proof of concept.<ref>{{Cite web |url=http://yro.slashdot.org/story/09/11/22/027229/Brazilian-Breaks-Secrecy-of-Brazils-E-Voting-Machines-With-Van-Eck-Phreaking |title=Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking |date=November 21, 2009 |work=Slashdot}}</ref>
 
In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000.<ref name="Kuhn2004" />
==Further Research==
 
[[Markus Kuhn (computer scientist)|Markus Kuhn]] has discovered several low-cost techniques for reducing the chances that emanations from computer displays can be monitored remotely.<ref name="Kuhn577">{{cite journal |last= Kuhn |first= Markus G. |authorlink= Markus Kuhn (computer scientist) |date=December 2003|title= Compromising emanations: eavesdropping risks of computer displays |journal=Technical Report |issue= 577|page= |pages= |at= |issn= 1476-2986 |id= UCAM-CL-TR-577 |url= http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf |accessdate= 2010-10-29}}</ref> With [[cathode ray tube|CRT]] displays and [[analog signal|analog]] video cables, filtering out [[high-frequency]] components from [[typeface|fonts]] before rendering them on a computer screen will attenuate the energy at which text characters are broadcast. With modern [[flat panel display]]s, the high-speed digital [[serial interface]] ([[Digital Visual Interface|DVI]]) cables from the [[graphics controller]] are a main source of compromising emanations. Adding random [[Noise (signal processing)|noise]] to the [[least significant bit]]s of pixel values may render the emanations from flat-panel displays unintelligible to eavesdroppers but is not a secure method. Since DVI uses a [[8b/10b encoding|certain bit code scheme]] that tries to transport a balanced signal of 0 bits and 1 bits, there may not be much difference between two pixel colors that differ very much in their color or intensity. The emanations can differ drastically even if only the last bit of a pixel's color is changed. The signal received by the eavesdropper also depends on the frequency where the emanations are detected. The signal can be received on many frequencies at once and each frequency's signal differs in [[contrast (vision)|contrast]] and [[brightness]] related to a certain color on the screen. Usually, the technique of smothering the RED signal with noise is not effective unless the power of the noise is sufficient to drive the eavesdropper's receiver into [[saturation (telecommunications)|saturation]] thus overwhelming the receiver input.
 
== See also ==
 
* [[Tempest (codename)|TEMPEST]], a United States government standard for limiting electric or electromagnetic radiation emanations from electronic equipment
* [[{{anl|Air gap (networking)]]}}
* [[RINT]], the acronym for Radiation Intelligence, military application
* [[{{anl|Near sound data transfer]]}}
* [[Air gap (networking)]]
* {{anl|RINT}}
* [[Near sound data transfer]]
* {{anl|Tempest (codename)}}
* [[SilverPush]]
 
== References ==
 
{{refs|30em}}refs=
<ref name="Boak">{{cite web |title=A History of U.S. Communications Security (Volumes I and II)"; David G. Boak Lectures |work=National Security Agency |year= 1973 |url= https://www.governmentattic.org/2docs/Hist_US_COMSEC_Boak_NSA_1973.pdf |page= 90}}</ref>
<ref name="Greenberg">{{cite magazine |url=https://www.wired.com/story/what-is-side-channel-attack/ |title=Hacker Lexicon: What Is a Side Channel Attack? |date=21 June 2020 |magazine=[[Wired (magazine)|Wired]] |last=Greenberg |first=Andy}}</ref>
<ref name="emr">{{cite journal | author=Van Eck, Wim | title=Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? | journal=Computers & Security | volume=4 | issue=4 | year=1985 | pages=269–286 | url=http://www.tscm.com/vaneck85.pdf | doi=10.1016/0167-4048(85)90046-X | citeseerx=10.1.1.35.1695 }}</ref>
<ref name=Telegraph-2013-09-27>{{cite news|last=Carter |first=Claire |url=https://www.telegraph.co.uk/culture/tvandradio/bbc/10340804/Myth-of-the-TV-detector-van.html |title=Myth of the TV detector van? |newspaper=The Daily Telegraph |date=27 September 2013 |access-date=27 September 2015}}</ref>
<ref name="g4tv">[http://g4tv.com/videos/8041/van-eck-phreaking Van Eck Phreaking]</ref>
<ref name="Screen Savers">[https://www.youtube.com/watch?v=ozl8_8wzEVI The Screen Savers: Dark Tip – Van Eck Phreaking]</ref>
<ref name="TechRepublic">[https://www.yahoo.com/tech/s/air-gapped-computers-no-longer-183708658.html Air-gapped computers are no longer secure, TechRepublic, January 26, 2015]</ref>
<ref name="Airhopper">[https://arxiv.org/abs/1411.0237 Original Whitepaper]</ref>
<ref name="demonstration video">[https://www.youtube.com/watch?v=3gtuEdflUA0 Airhopper demonstration video, Ben Gurion University]</ref>
<ref name="FDES">White paper, FDES institute, 1996, page 12.</ref>
<ref name="Herald tribune">[http://www.iht.com/articles/ap/2006/10/30/europe/EU_GEN_Netherlands_Voting_Machines.php Dutch government scraps plans to use voting computers in 35 cities including Amsterdam (Herald tribune, 30. October 2006)]</ref>
<ref name="heise">[http://www.heise.de/english/newsticker/news/80302 Use of SDU voting computers banned during Dutch general elections] {{webarchive|url=https://web.archive.org/web/20080923142636/http://www.heise.de/english/newsticker/news/80302 |date=2008-09-23 }} (Heise, October 31. 2006)</ref>
<ref name="slashdot">{{Cite web |url=http://yro.slashdot.org/story/09/11/22/027229/Brazilian-Breaks-Secrecy-of-Brazils-E-Voting-Machines-With-Van-Eck-Phreaking |title=Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking |date=November 21, 2009 |work=Slashdot}}</ref>
In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000.<ref name=Kuhn2004>{{cite journal | author = Kuhn, M.G. | year = 2004 | title = Electromagnetic Eavesdropping Risks of Flat-Panel Displays | journal = 4th Workshop on Privacy Enhancing Technologies | pages = 23–25 | url = http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf }}</ref>
<ref name="Kuhn577">{{cite journal |last= Kuhn |first= Markus G. |author-link= Markus Kuhn (computer scientist) |date=December 2003|title= Compromising emanations: eavesdropping risks of computer displays |journal=Technical Report |issue= 577|issn= 1476-2986 |id= UCAM-CL-TR-577 |url= http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf |access-date= 2010-10-29}}</ref>
}}
 
== External links ==
 
* [https://www.youtube.com/watch?v=ZZ5HS8GWIec Van Eck phreaking Demonstration]
* [http://www.erikyyy.de/tempest/ Tempest for Eliza] is a program that uses a computer monitor to send out AM radio signals, making it possible to hear computer-generated music in a radio.
Line 51 ⟶ 75:
* [http://eckbox.sourceforge.net eckbox] – unsuccessful or abandoned attempt in spring 2004 to build an open-source Van Eck phreaking implementation
* [https://techcrunch.com/2015/01/14/this-fake-phone-charger-is-actually-recording-every-key-you-type/?ncid=txtlnkusaolp00000591 Sniffing wireless keyboard link]
* [https://github.com/fulldecent/system-bus-radio system-bus-radio] - an implementation of Van Eck phreaking using certain processor instructions on a general purpose computer
 
{{DEFAULTSORT:Van Eck Phreaking}}
[[Category:Surveillance]]
[[Category:Phreaking]]
Retrieved from "https://en.wikipedia.org/wiki/Van_Eck_phreaking"