tempest

13 Articles

LCD Monitor Plays The Hits

August 18, 2022 by 1 Comment

In the old days, it wasn’t uncommon to put an AM radio near a computer or a monitor and deliberately cause interference to have a crude form of sound generation. Did you miss out on that? No! Thanks to [luambfb] you can now do the same trick with a common LCD monitor. You’ll need the horizontal refresh rate of the monitor in question.

Of course, doing it is somewhat less interesting than learning how it works. The effect relies on the fact that the LCDs emit signals as it refreshes a row. A black row emits relatively low energy while a white row emits more. Grayscale… well, you get the idea. Continue reading “LCD Monitor Plays The Hits”

Eavesdropping By LED

August 25, 2021 by 23 Comments

If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.

You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.

Continue reading “Eavesdropping By LED”

Ethernet Goes To The Ether

November 9, 2020 by 14 Comments

Since the ether is an old term for the fictitious space where radio waves propagate, we always thought it was strange that the term ethernet refers to wired communication. Sure, there are wireless devices, but that’s not really ethernet. [Jacek] had the same thought, but decided to do something about it.

What he did is use two different techniques to alter the electromagnetic emission from an ethernet adapter on a Raspberry Pi. The different conditions send Morse code that you can receive at 125 MHz with a suitable receiver.

Practical? Hardly, unless you are looking to exfiltrate data from an air-gapped machine, perhaps. But it does have a certain cool factor. The first method switches the adapter between 10 Mbps and 100 Mbps. The second technique uses a stream of data to accomplish the modulation. The switching method had a range of around 100 meters while the data-based method topped out at about 30 meters. The code is on GitHub if you want to replicate the experiment.

There is plenty of precedent for this sort of thing. In 1976 Dr. Dobb’s Journal published an article about playing music on an Altair 8800 by running code while an AM radio was nearby. We’ve seen VGA adapters forced to transmit data, too.

Continue reading “Ethernet Goes To The Ether”

Listening To An IPhone With AM Radio

September 18, 2020 by 38 Comments

Electronic devices can be surprisingly leaky, often spraying out information for anyone close by to receive. [Docter Cube] has found another such leak, this time with the speakers in iPhones. While repairing an old AM radio and listening to a podcast on his iPhone, he discovered that the radio was receiving audio the from his iPhone when tuned to 950-970kHz.

[Docter Cube] states that he was able to receive the audio signal up to 20 feet away. A number of people responded to the tweet with video and test results from different phones. It appears that iPhones 7 to 10 are affected, and there is at least one report for a Motorola Android phone. The amplifier circuit of the speaker appears to be the most likely culprit, with some reports saying that the volume setting had a big impact. With the short range the security risk should be minor, although we would be interested to see the results of testing with higher gain antennas. It is also likely that the emission levels still fall within FCC Part 15 limits.

Continue reading “Listening To An IPhone With AM Radio”

TEMPEST Comes To GNU Radio

May 14, 2020 by 10 Comments

As we use our computers, to watch YouTube videos of trucks hitting bridges, to have a Zoom call with our mothers, or even for some of us to write Hackaday articles, we’re unknowingly sharing a lot of what we are doing with the world. The RF emissions from our monitors, keyboards, and other peripherals can be harvested and reconstructed to give a third party a view into your work, and potentially have access to all your darkest secrets.  It’s a technique with origins in Government agencies that would no doubt prefer to remain anonymous, but for a while now it has been available to all through the magic of software defined radio. Now it has reached the popular GNU Radio platform, with [Federico La Rocca]’s gr-tempest package.

He describes it as a re-implementation of [Martin Marinov]’s TempestSDR, which has a reputation as not being for the faint-hearted. The current version requires GNU Radio 3.7, but he promises a 3.8-compatible version in the works. A YouTube video that we’ve placed below the break has a range of examples running, though there seems to be little information on the type of antenna employed. Perhaps a log-periodic design would be most appropriate.

Continue reading “TEMPEST Comes To GNU Radio”

Screaming Channels Attack RF Security

July 27, 2018 by 15 Comments

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

TEMPEST In A Software Defined Radio

June 25, 2017 by 12 Comments

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.