VAN ECK DEVICES

The idea of intercepting the electromagnetic emissions from computer

hardware has a long history. It's been known to be possible since the
1960s, and was first discussed publicly in 1967. In the 1970s, the NSA
started a program in this field, called Tempest; this led to the framing of
the Tempest standards for equipment designed to be resistant to
electromagnetic interception.
Germany discovered the problems during an exercise with NATO in 1977; the
DDR's Minister of Security said something about it in 1984, and, in the
same year, the Swedish government introduced regulations on the amount of
electromagnetic leakage allowed from computers. Van Eck published his paper
about electromagnetic surveillance in 1985.
Every piece of hardware radiates in some way; however, not all emissions
are dangerous. The only really serious ones are from places where data is
being processed serially; particularly with cached chips, it's very hard to
disambiguate the traffic on the processor bus and even harder to do
anything with it afterwards. The most dangerous emissions are those from
monitors and from lines where data is transmitted serially (RS232, Ethernet
). Also, dangerous emissions have to have structure; there's little to be
learned from tapping V- or H-sync signals, though, as you will read later,
their presence tells you that there's a monitor around.
All electrical activity generates electromagnetic radiation; the three
sorts of information which are easy to intercept are signals coupling to
things which act as antennae, surface waves running along the surface of
metal objects in the vicinity, and modulations of the power supply.
At this point, a Demonstration was performed. Photos are available
elsewhere; basically, the setup consisted of a standard PC (the brand name
wasn't given, for legal reasons), a large antenna, an elaborate amplifier,
and a normal television. Surface waves were detected with a
waveguide-shaped adapter, and power supply modulations were detected by
capacitative coupling to the power line using one of the devices used to
transmit audio along power lines to monitor a baby sleeping in another
room.
In all cases, the display on the PC was replicated on the television at a
slightly different scale. The distance between the systems was no more than
five metres in the on-stage display, though it was claimed that you could
get decent results at much greater distances; the antenna method should
work at a range of 15 metres, and longer with more sophisticated
amplifiers, the surface-current method (where the surface-current adapter
was connected around one of the power lines to the computer) can work at
100m in ideal circumstances, and capacitative coupling only really works at
short range.
Note that this was a PC which passed all of the EC requirements for
emissions; machines around in 1980 were substantially more emissive (you
couldn't listen to a long-wave radio whilst a BBC Micro was turned on in
the same house, for example).
How It Works
PC monitors and televisions operate on the same principle; you have an
electron beam moving back and forth across the screen. Some years ago, PCs
and TVs even used the same scanning frequencies, though nowadays PCs tend
to display higher resolutions and work at higher refresh rates; this is not
an insuperable problem, but tends to mean that the aspect ratio of the
display looks rather odd if you're receiving with a normal TV. What's
detected is an aggregate of the colours on the screen.
Basically, you lock onto the horizontal and vertical sync frequencies
transmitted by the monitor, and use these to generate new horizontal and
vertical sync pulses for the TV; you feed the signal detected by your
antenna to the pixel input of the TV, and feed in your
separately-generated, clean pulses separately.
How far away does it work?
Define the range of a van Eck device as the longest distance away from the
machine you're monitoring at which the picture on the monitor may be read.
In practise, it's found that the picture is readable when the S/N ration is
about 1.3 : 1. Using the standard antenna method with a TV as a detector,
the range is about 100 metres; using substantially more sophisticated
detectors, the range might be as much as 500 metres.
The surface wave method has a lower range, depending on the dielectric
coefficient of the surroundings of the pipe down which the data is
travelling; in a building with a predominantly-wooden structure, you could
detect surface waves on heating pipes at a distance of 30 or 40 metres.
This is an interesting distance, because it means that you can detect the
signal from the adjacent floors in commercial premises.
Getting data from the power supply depends very much on details of the
construction of the PSU; at the very best, the signal will only be
detectable as far as the next transformer in the system.
The emissions from a standard PC monitor are anisotrophic; they are
substantially stronger to the sides of the display than they are in front
and behind.
Possible Precautions
Modify your computer; this is impractical for end users, but is done to
produce Tempest-compliant systems for the truly paranoid.
Operate your computers in shielded rooms. Shielding rooms is not remotely
cheap; you need to line the walls with sheet copper in a way similar to
that used to avoid electromagnetic pulses, use special conducting glass in
the windows, and use airlock-style doors with a conducting rubber gasket
round the outside, and even then you have to take great care over the
design of your power supply.
Probably the easiest method is to use a jamming strategy; by working out
what wavelengths your computer emits on and then putting a small
transmitter, broadcasting random noise on those wavelengths, next to the
computer.
At this point the talk dissolved. The workshop afterwards was distinctly
more interesting; some very, very strange things were mentioned.
The Workshop
According to my notes, the workshop consisted of a large number of
disconnected discussions. I'll enumerate some of them below :
* The existence of a device for firing very small diodes through the
ventilation slots in the back of a PC, so that it has a very specific
spectral response were you to bounce a signal off it, so that the PC
can thereafter be easily tracked.
* Using the heating system as a convenient source of antennae for
signals to couple to, particularly when the people you want to monitor
are in the same building but a different floor.
* The existence of a device, designed for use by FBI field officers,
which clamps onto a pipe and takes advantage of the fact that the
ground signal is usually connected to the pipes. This was in the
pre-PC era, so the machine was used to distinguish between the signals
produced by the action of different letters on electric typewriters
* The VMS database management system 'PROMISE', which apparently used
Walsh wavelets (whatever they are) to provide a convenient way to
modulate the signals on the system bus to transmit the entire contents
of the database to a suitably-equipped listener elsewhere. There are
those who claim that the company producing the software was purchased
by the NSA, and continued producing the software
* The fact that even laptops are vulnerable to TEMPEST attacks, since
they tend to have scanned displays and to have video output ports at
the back. The solution to this, which is to transmit the signals to
the display using a low-amplitude system and to amplify them in the
display itself.
* A secure laptop manufactured by 'GRID', which had bubble memory and a
plasma display. It was costly and heavy; its main customers were
intelligence agencies. Certain models had a DES chip, identified by a
'X' etched in the case. If you find one of these, buy it; they were
supposed to be decommissioned before disposal, by a process involving
smashing the display and shooting through the case at the point marked
with the 'X'.
* That detecting the presence of monitors is fairly straightforward
using a spectrum analyser; the horizontal-sync pulse can be found by
Fourier analysis, since it is a fairly strong high-frequency signal.
The vertical-sync pulse is rather harder to find, but you can use a
phase-locked loop to do this. Once you've detected the H- and V-sync
pulses, you can subtract them from the received data and insert
better-quality new ones.
* That it's probably possible to monitor several monitors at once, or to
monitor a single specified one, by using a few very precise notch
filters, or a comb filter, and looking for the sub-percent differences
in the v- and h-sync frequencies. It's not quite clear how much more
stable the frequencies are than their accuracy.
* The idea of handling the data digitally, by using a standard
heterodyne circuit to remove the FM carrier waves; I don't quite see
what they're talking about here, since the bandwidth of even a VGA
signal is fairly substantial. Once the data is in the digital domain,
handle it with DSPs; fast DSPs are expensive, but obtainable.
http://DSPnews.com is a relevant site here.
* What you really want is the data on the CRT, not the display. In most
business-type applications, the image on the CRT is constant over a
large number of refreshes, so you can capture it a bit at a time into
a large block of video RAM and then handle it with cheaper DSPs. Using
not much more video RAM than an elaborate graphics card, you could
produce fairly good reconstructions of the images from a dozen CRTs.
Locating sources; elaborate antennae
* If you've got access to multiple antennae, you can use well-known
interferometric techniques from radio astronomy to get very precise
location data; you're talking about picking out a single monitor in an
office knowing only its precise V-sync and H-sync frequencies.
* If you're wanting to work from a substantial distance, use a large
array of antennae and correct by computer for the phase differences in
the incoming signal (since you know where the monitor is by the
techniques above). You can do this with independent antennae if you're
very clever, but you need enormously accurate timebases. Apparently
there are interesting techniques involving optical holography to
reconstruct signals without ridiculous computing requirements.
Tapping networks
* Using twisted-pair cable removes dipole but not quadrapole radiation -
but quadrapole radiation has an intensity which drops off as r-4,
which makes it impractical to detect at any great distance. To get a
good signal, stick a conducting wire between the pair and let it stick
out both sides (coupling to the magnetic field between the wires).
Alternatively, wrap a one-turn transformer around the wire.
* For coax Ethernet, there was an interesting tap resembling a credit
card with a keyhole-shaped hole, the straight sides of the keyhole
being made of two razorblades. You slide it onto the cable in some
inconspicuous place, and it cuts through some parts of the shielding
and broadcasts the information on the wire.
* Transparent power consumption monitoring - use ground-fault indicators
(take 10 turns of wire around cable 1, same on other cable in opposite
directions, and measure the voltage. The windings are the sensors
required for sampling - insert something inside the cases.
Workshop notes on protecting systems
* The NSA is claimed to have TEMPEST-enabled buildings, with
copper-tinted windows.
* It's fairly hard to make a TEMPEST-enabled room; to provide a
conductive shell, you need substantial quantities of copper sheeting
(and 16-gauge copper sheeting is $90 per square metre); the sheets
then need to be soldered together at the edges.
* Alternatively, you could use TEMPEST wallpaper, which is a fabric with
many short copper fibres embedded; these act as a series of small
electrode, and produce a 45db attenuation at all frequencies.
* For a cheaper solution, use Styrofoam blocks clad on both sides with
aluminium foil.
* Remember that rooms have six sides, not four; you have also to shield
the roof and the floor
* You really want a solid conductive shell. This makes it quite hard to
run services in; water pipes are out, for example. Windows are hard to
protect, so the simplest solution is not to have any; since the room
is hermetically sealed, you may well need ancillary bottled oxygen.
* The most elegant way of getting power into the room is probably to use
a motor-generator unit like those used to provide stable power to IBM
mainframes; run the shaft through the wall using a few conducting
gaskets.
* It's probably easiest to forget about networking and revert to
sneakernet; if you really want to use Ethernet, either bring it in via
a convoluted channel, or use fibre-optics.
* Doors can be protected by putting metal plates on them and using
conductive gaskets to seal them; there is a magazine called
'Electronic Compliance' in which such things as conductive gaskets are
advertised.