security fundamentals group tempest security hidema tanaka

Security Fundamentals Group

TEMPEST Security

Hidema Tanaka


Information leakage via electromagnetic emanation

Electromagnetic wave, which is emanated unintentionally from running IT devices, contains information of processing signals from the devices.

scanner colorprinter

printer

PC

FAX multifunction machine


What is TEMPEST

Reconstruction image by emanated electromagnetic wave

target PC

antenna

Tempest receiver


Threat of information leakage from display image

・ There is a possibility that personal information on public information terminals stolen. ・ Screen design of public information terminal is very simple. (Universal design)・ It is easy to reconstruct such simple display image by TEMPEST.・ Human-interface can not be protected by crypto-technology.

Target of TEMPEST

e-voting system ATM system

a serious threat on the information security !!

Target of TEMPEST

e-voting system

Target of TEMPEST

e-voting system

ATM

information


Principle of TEMPEST

Very easy : almost same as TV but attacker needs some information of the target.

TV TEMPEST

known as “Channel” Reception frequency unknown

standard(e.g.NTSC) Synchronous frequency

(reconstruction of image)

depend on “target”

(e.g. VESA for PC)


Activity of our group

Signal generator

Vertical/Horizontal synchronous frequency

Receiver

Monitor

1. Analysis: Which frequency? What information?

Video signal

Synchronous signals

2. Simplification: Effectiveness vs Cost (Reality of threat).

3. Countermeasure: New techniques.

To evaluate information in electromagnetic emanation quantitatively, it is important to monitor emanated signals from electronic instruments in more easy-to-use way and more easy to reconstitute way, then to analyze how information signal is contained in emanated signal.

We propose the method to monitor electromagnetic signals emanated from PC (desktop PC) in more easy-to-use way and more easy to reconstitute way. Also we reconstitute information from monitoring results and evaluate it.


Analysis

秘秘

Analysis & evaluation


Our proposal system

・ Not need shield room --- We can get high S/N signal.

・ Experimental results can be re-produced. --- It does not depend on the environment.

・ data-processing is easy.


12

34567 1 2 3 4 5 6 7

This result shows that we can monitor emanated electromagnetic signal corresponding to character line(1～ 7line) displayed on the monitor. We can reconstitute easily by the result from the proposed monitoring method, and also it is very easy-to-use.

Monitor display image


We can reconstitute image by using signal processing.In this reconstitution result of monitor display image, we can read a character around 18 point.


Simplification of TEMPEST

・ High performance receiver (10～ 20 years ago, FSET 22 was a military model)・ Real time image processing (such as Adobe Photoshop)・ Hardware Amplification and noise canceller・ Setting of synchronous frequency in 0.001[Hz] step・ Very expensive ($100M or higher? I do not know.)

Does attacker (such a pedestrian hacker) need such expensive machines ?

Frequency range 100[Hz] – 22[GHz]

Frequency resolution 0.1[Hz]

Bandwidth 10[Hz] – 500[MHz]

Average noise level < 142 dBm

Specification of FSET22


The answer is NO.

Easy TEMPEST receiver

・ Receiver: AOR AR8600 mk2 with TV outputabout $800

・ Signal generator: NF Wave Factory 1944Babout $2000

・ No image processing

Performance

・ do not succeed from far away by antenna. But wire tap (power cable or LAN cable using a current probe) is ok.

・ Rough screen such as ATM interface is ok.

Countermeasures are important and necessary.


Countermeasures

We can already use some countermeasure products,

cage

special cable and connector/adapter

Tempest PC (about $10,000)jamming machine

… but they are too expensive and limited usage.


Kuhn and Anderson (Cambridge university) , IH98

Top 30% of horizontal frequency spectrum of image

Effective to Tempest attack

Removing top 30 % of horizontal frequency spectrum of image

The basic idea of the Tempest fonts

New technique → Software solution “TEMPEST fonts”



Enlarged view of reconstruction image

If we use common font, we can read a character in reconstruction image.



reconstruction image

But, when we use proposed TEMEPST font, we are hard to read a character in reconstruction image.

TEMPEST font generated by Fourier trans. and Gaussian.


Future works

・ Reconstruction of keyboard typing information via EM

⇔ “Keyboard acoustic emanation” (L.Lhuag et.al , CSS05)

・ EM side-channel cryptanalysis (IC card, RFID etc)

・ EM attack (small scale of E-Bomb) on IT devices

e.g. Attack to LAN cable → packet error → DoS attack

security fundamentals group tempest security hidema tanaka

Documents

information security

information signal

pc slide

monitor display image

system atm information

personal information

tempest reconstruction

system target of tempest