Compromising emanations: eavesdropping risks of computer displays

Electronic equipment can emit unintentional signals from which eavesdroppers may reconstruct processed data at some distance. This has been a concern for military hardware for over half a century. The civilian computer-security community became aware of the risk through the work of van Eck in 1985. Military " Tempest " shielding test standards remain secret and no civilian equivalents are available at present. The topic is still largely neglected in security textbooks due to a lack of published experimental data. This report documents eavesdropping experiments on contemporary computer displays. It discusses the nature and properties of compromising emanations for both cathode-ray tube and liquid-crystal monitors. The detection equipment used matches the capabilities to be expected from well-funded professional eavesdroppers. All experiments were carried out in a normal unshielded office environment. They therefore focus on emanations from display refresh signals, where periodic averaging can be used to obtain reproducible results in spite of varying environmental noise. Additional experiments described in this report demonstrate how to make information emitted via the video signal more easily receivable, how to recover plaintext from em-anations via radio-character recognition, how to estimate remotely precise video-timing parameters, and how to protect displayed text from radio-frequency eavesdroppers by using specialized screen drivers with a carefully selected video card. Furthermore, a proposal for a civilian radio-frequency emission-security standard is outlined, based on path-loss estimates and published data about radio noise levels. Finally, a new optical eavesdropping technique is demonstrated that reads CRT displays at a distance. It observes high-frequency variations of the light emitted, even after diffuse reflection. Experiments with a typical monitor show that enough video signal remains in the light to permit the reconstruction of readable text from signals detected with a fast photosensor. Shot-noise calculations provide an upper bound for this risk. Acknowledgments I would like to thank my former supervisor Ross Anderson for making this entire project possible and for encouraging my initial experiments with his ESL 400 emission monitor. I am also much in dept to Tony Kruszelnicki of TK Electronics in Lincoln for an extended loan of a Dynamic Sciences R-1250 receiver and various accessories. The technical staff of the Computer Laboratory and in particular Piete Brooks earned my thanks for their patience and competent assistance. Robert Watson contributed useful GPIB/TCP gateway software for instrument control during his brief stay as a visiting student. Simon Moore provided a storage oscilloscope and Richard Clayton …