18 March 1998
To: cypherpunks@toad.com Subject: Re: EMI, Van Eck, etc. Date: Wed, 18 Mar 1998 13:09:10 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> The Spectre wrote on 1998-03-18 05:11 UTC: > In almost every writing I've come across regarding Van Eck, I notice the > phrase "...simply a modified television" or something along those lines. > > Does anyone have a document for actually modifying a television set to do > this sort of thing? It doesn't have to be extremely long ranged, and could > in fact be very short range.. I am interested in performing my own > experiments into defeating this sort of eavesdropping. Ingredients for a minimum cost quick & dirty TEMPEST experiment: 1 RF tuner of a VCR 1 antenna amplifier 1 antenna 1 multisync PC monitor 1 PC with a video card (or a pair of tuneable sync oscillators) Connect the PC with the video card to the SYNC inputs of the multisync monitor. Program the video card to a video mode with the same deflection frequencies as that used by the target system. Connect the baseband output of your tuner to the VIDEO-IN pins of your monitor. Connect the antenna and amplifier to the RF input of your tuner. Switch on. Fill the screen of the target device with a big symbol consisting of dithered and non-dithered areas for best results in the first trials. Now tune through the VHF bands starting with the dot clock frequency of the target. That's it basically. Such a primitive TEMPEST monitor is of course unsuitable for evaluating the threat from much more sophisticated wide-band DSP eavesdropping receivers that directly attempt OCR-style algorithms on the signal with matched filters. But it is fun to play around with, it is useful for getting a feeling for the effect, and it is suitable for demonstrating most of the Soft Tempest tricks that I described in <http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf>. > Also, would it be possible to scramble the signal into an unusable level by > simply putting another device emanating RF at the snooping frequencies > nearby the machine that you want to protect? Something generating white > noise at that frequency, but with a purposely built antenna, say a high > gain type turned outward from the monitor, with a significantly higher > power output than the monitor? The FCC and your radiologist advise against this. Shielding is much more elegant than jamming. Remember that CRT content is a periodic signal, thus you can suppress uncorrelated noise by periodic averaging rather easily. Good jamming must produce a correlated output signal. See United States Patents 5165098 and 5297201 for descriptions of correlated jammers. I don't think, these are widely used though, as the TEMPEST standards seem to mandate shielding and not jamming, which I think is very sensible. Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/>
JYA Note: TEMPEST information: http://www.eskimo.com/~joelm/tempest.html