A long-running story in the world of electronic security has been the reconstruction of on-screen data using RF interference from monitors or televisions. From British TV detector vans half a century ago to 1980s scare stories about espionage, it was certainly easy enough to detect an analogue CRT with nothing more than an AM broadcast radio receiver. But can this still be done in the digital age? It’s something [Windytan] has looked into, as she reconstructs images using leakage from HDMI cables.
The tale starts with a mystery RF noise, soon identified as not unlike the scanning frequencies of a video signal. Plotting the noise intensities while treating the supposed scanning frequencies as video synchronization yields a shadowy version of her Raspberry Pi desktop, so she’s on to something. It’s important to note that this isn’t a video signal she’s receiving, but the noise associated with the bit transitions in an uncompressed digital video stream, so she quickly concludes that trying to resolve color would be futile.
It does however leave the tantalizing possibility of using this as a medium to wirelessly export data from a compromised machine, and it’s down this route she goes. She finally arrives on a scheme of encoding data as lines of individual colors that look like interference patterns over a desktop, and from there can send and retrieve files. It works for digital audio streams, and as shown in the video below, even an MJPEG video stream, hidden in the noise from a video signal. That’s impressive work, by any standard!
We covered those BBC detector vans in detail a while back.
25 thoughts on “Pulling Data From HDMI RF Leakage”
The analog version, Tempest for Elisa, back from the CRT days:
Impressive, scary and hilarious at the same time ! Oona’s paw !
Would HDCP mitigate this?
I don’t think so. Doesn’t HDCP work by negotiating a link then the link is still passed clear? That’s why some of those knockoff HDMI splitters let you strip HDCP. They negotiate the signal with an approved monitor then it’s open to split off.
Nope, HDCP content is encrypted. HDMI “splitters” that support HDCP actually decode the source HDMI stream and then re-encode it to each output separately. It’s more like a repeater than a splitter.
I remember reading about “Van Eck phreaking” in Cryptonomicon, seriously cool (if creepy) stuff!
I came here to leave that comment! :) Interesting that devices still radiate so much despite being subject to limitations set by the FCC and similar authorities.
Goes to show that no device outputting HF noise can ever be truly airgapped. Impressive and interesting!
That’s why once upon a time, PCs and other devices had to be properly shielded to be legal. Their cabling, too.
Raspberry Pi, Arduino Uno etc.: In the 80s/90s of the 20th century, their operation in a cheap, unshielded plastic case would have been highly illegal. Outside supervised hobby use, I mean (tinkering or prototyping excepted of course! I mean permanent installments).
It was in ~2000 when the darn CE sign replaced certificates/tests by the national committees of each country here in Europe.
From there on, everything went out of control.
Nowadays, people are so uneducated that they install Raspberry Pis as if they were professional devices. They don’t even know about RFI/TVI and shielding. RF is a totally unknown thing to them.
Pis and Arduinos should be restricted to lab use only, unless they have proper shielding and real fuses. Plastic chassis with conductive paint would be feasible, at the very least! Or the use of aluminium foil on cardboard.
I often wished these “hard” times back in which an FCC like organization was hunting down users of such hobbyist products without mercy. The amount of RF noise that an Raspberry Pi emits is just irresponsible. It’s like an electronic equivalent to STD.
We’re more dependent on wireless technology than ever. The RF bands should be valued, protected, like drinking water. The RF pollution caused by the numerous Pis and such similar devices is almost a crime, imho.
Same goes for those cheap switching-psus everyone loves so much. 🙄
The old regulated, linear power supplies with transformers were much cleaner!
Way back in the 90s they were still being sold. Oh well, those were good times.
Hahahaha I needed a good laugh. Modern devices don’t need ostentatious shielding because EMI mitigation techniques and certifications have become a lot more sophisticated and rigorous. Why slap an expensive metal box on a device when you can engineer it to not waste all that energy in the first place (and you’re *obligated* to do so if you want to sell it commercially.) If you think it’s a lassez-faire free-for-all these days you are laughably deluded.
Unless you can point out the devices and services that are being actively interfered with due to RFI from arduinos? Because that’s the *only* reason devices need to limit their emissions, in order to play nice with other spectrum users. If you can’t, then none of your complaints make any sense.
I’ll have what he’s having. Hitting the good drugs again, are we?
Let’s wait for the USB keyboard RF sniffer!
I tried that a few years ago! What impressed me most about the Tempest attack is just how easy it was to do as a hobbyist with a 50$ device (HackRF) and a free program.
If anyone else is interested I have a small tutorial on my github with some additional pictures.
isnt hackrf like $300?
Yeah I just checked back on my Aliexpress order and it cost me around 170€ a couple of years ago. I could swear it cost me less.
The original one is 330€~ though and it’s supposed to have a better tuned antenna circuit. Which allows for a better tx/rx. But I didn’t want to spend as much back then. Because I didn’t know if I would even like the SDR idea.
Weren’t the TV license people tracking the oscillators in the sets rather than the CRTs themselves?
It was a myth that they actually did that. Possible in todays age with a set up parked less than 10 cm away, but not possible from outside on the street with one or more walls in the way. They relied purely on 99.99% of people not knowing any better.
It’s never been “illegal” to have a TV without a license, just to watch live, terrestrial broadcasts without one. They used to say they could tell what channel you were watching. Pure myth.
They have written to me 6 times a year for the last 5 years saying they’ve launched an investigation on me for not having a license, and that an inspector will visit my address…. they actually did send someone round in about 2019, at 2pm on a Thursday. I was obviously at work. Still get the letters. I could tell them I don’t watch terrestrial TV, but I like the idea of them wasting the resources on trying to enforce something that’s unenforceable and relies entirely on fear and misunderstanding of technology.
Write to them declaring the “implied right of access” to your property, and they will go away for a few years – and if an inspector does come you are legally allowed to chase him off with a supersoaker.
Picking up a well defined single oscillator frequency with a directional antenna from a mains-powered device that would have been *incredibly* noisy back in the day does not require “todays age” technology, it would have been straightforward with the technology available even before the TV itself was commercially available. It probably worked in the early days of the tv license up until sometime in the 80’s when solid-state tv’s started becoming widespread.
Naw. I was doing it in the lab all the time in the 70’s. It is no problem detecting your local osc since it gets radiated back up the antenna.
Forgot to add Electronic Warfare techs were doing it all day long in the 60’s. A friend told me he could identify the brand and nationality of the receiver by the IF and LO they picked up.
Not even RF: the technique was optical.
Because CRT scanout was locked to the broadcast signal (this was before LCDs and DSPs), a simple autocorrelator comparing the received signal with a photodetector aimed at a window (works with bounce off a wall or through a diffuse curtain) will match with one of the 3/4/5 (depending on decade) broadcast TV channels.
Once sample-and-hold displays and DSPs became more commonplace, along with non-terrestrial reception techniques like satellite and cable, the whole scheme completely fails as phase offsets went from micro/nanoseconds to multiple milliseconds to whole seconds.
It was quite easy to pick up the the intensity modulation of the CRT in a certain (and I am sure many others) 1970s data terminal. One aspect of a job I had was giving security demonstrations. A fellow engineer found he got a good clean dot signal at about 1 GHz. A hand-made receiver smaller than a lunch box, a genlock, monitor and a small Yagi antenna to point at the victim terminal were all that is necessary.
I had a high ranking official get in my face at one demonstration, accusing me of faking the demo. The intercept was very clean, but the terminal display was flagged over due to a dried out electrolytic capacitor in the flyback driver. I had a capacitor on order, but didn’t receive it in time to replace for the demo. I convinced the skeptic it was a real intercept by having him walk in front of the Yagi to cut off the path to cause the intercept to drop out.
Ironically, the data terminal in question had been upgraded with TEMPEST proofing features, just not good enough features.
HDMI is particularly bad in this regard due to the fact that until 2.0 it transmitted a clock signal as well.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)