Optical Time-Domain Eavesdropping Risks of CRT Displays mgk25/ieee02-  · cathode-ray tube (CRT)...

download Optical Time-Domain Eavesdropping Risks of CRT Displays mgk25/ieee02-  · cathode-ray tube (CRT) displays

of 16

  • date post

    05-Jul-2019
  • Category

    Documents

  • view

    212
  • download

    0

Embed Size (px)

Transcript of Optical Time-Domain Eavesdropping Risks of CRT Displays mgk25/ieee02-  · cathode-ray tube (CRT)...

  • Optical Time-Domain Eavesdropping Risks of CRT Displays

    Markus G. KuhnUniversity of Cambridge, Computer LaboratoryJJ Thomson Avenue, Cambridge CB3 0FD, UK

    mgk25@cl.cam.ac.uk

    Abstract

    A new eavesdropping technique can be used to readcathode-ray tube (CRT) displays at a distance. The inten-sity of the light emitted by a raster-scan screen as a func-tion of time corresponds to the video signal convolved withthe impulse response of the phosphors. Experiments with atypical personal computer color monitor show that enoughhigh-frequency content remains in the emitted light to per-mit the reconstruction of readable text by deconvolving thesignal received with a fast photosensor. These optical com-promising emanations can be received even after diffuse re-flection from a wall. Shot noise from background light is thecritical performance factor. In a sufficiently dark environ-ment and with a large enough sensor aperture, practicallysignificant reception distances are possible. This informa-tion security risk should be considered in applications withhigh confidentiality requirements, especially in those thatalready require TEMPEST-shielded equipment designedto minimize radio-frequency emission-security concerns.

    1. Introduction

    Classic techniques for unauthorized remote access to pri-vate and confidential information tapping communicationlinks, code breaking, impersonation become increasinglydifficult as the use of modern cryptographic protection tech-niques proliferates. Those in the business of obtaining in-formation from other peoples computers without their con-sent or knowledge from law enforcement and intelligenceservice technicians through criminals to market researchers are continuously looking for alternative means of access.

    Proceedings 2002 IEEE Symposium on Security and Privacy,1215 May 2002, Berkeley, California, pp. 318, ISBN 0-7695-1543-6.c 2002 IEEE. Personal use of this material is permitted.

    Military organizations have been aware of compromis-ing acoustic and radio-frequency emanations from informa-tion processing equipment since the early 1960s and es-tablishedemission security (EMSEC)test standards withshielding requirements for computers that process classi-fied information [1, 2, 3]. A larger community becameaware of the radio-frequency information leakage of video

    displays and other computer peripherals through van Eckseavesdropping demonstration with modified TV sets [4] andsubsequent research on related phenomena [5, 6, 7]. Opti-cal emission security has been discussed for fiber-optic ca-bles [8].

    The available open emission-security literature on dis-plays has so far only focused on the threat of informationcarried in the radio-frequency bands (primarily 3 MHz3 GHz). We must not forget, however, that the very pur-pose for which display devices are designed is the emissionof information suitable for human perception in the opti-cal bands (385790 THz frequency or 780380 nm wave-length). As we will see, the overall light emitted by a com-monly used cathode-ray tube computer monitor is a broad-band information carrier that transmits via light-intensitymodulation the low-pass filtered video signal. It is fea-sible to reconstruct screen contents from this informationchannel, even if the eavesdropper cannot position a sensorwithin a direct line-of-sight to the target display surface andreceives the light only after diffuse reflection, for instancefrom an office wall.

    An upper bound for the possible signal quality and eaves-dropping distance is set by the shot noise from other lightsources. Such an analysis can not only be applied to videoscreens but also to any other optical displays that might betargeted by an eavesdropper, for instance status indicatorsof serial ports.

    2. Projective observation with telescopes

    It has of course not escaped the attention of security ex-perts in the past that any video display surface that is withina line of sight to an eavesdroppers hiding place could beread with the help of a telescope. Many organizations deal-ing with critical information have security policies concern-ing the orientation and visibility of documents, computermonitors, and keyboards relative to windows that are visi-ble from uncontrolled spaces such as nearby streets, parkinglots, or buildings.

  • With high-quality optics, the limiting factor for the an-gular resolution of a telescope is the diffraction at its aper-ture. For an aperture (diameter of the first lens or mirror)D,the achievable angular resolution as defined by the Rayleighcriterion is

    =1.22

    D, (1)

    where 500 nm is the wavelength of light. Typical mod-ern office computer displays have a pixel sizer = 0.25 mm(for example in the form of the320 240 mm display areaon a 43 cm CRT, divided into1280 1024 pixels). If theobserver is located at distanced and her viewing directiondiffers by an angle from a perpendicular view onto thedisplay surface, she will see a single pixel under a viewingangle = rd cos . She will therefore need a telescopewith an aperture of at least

    D =1.22 dr cos . (2)

    A simple amateur astronomy telescope (D = 300 mm) willbe sufficient for reading high-resolution computer displaycontent from up to 60 m distance under < 60, even withvery small font sizes.

    3. Time-domain observation of CRT light

    The direct projection of a video display surface onto theimage plane of a camera with a good telescope is not theonly way in which optical emanations of cathode-ray tubescan be used to read the screen content at a distance.

    Most computer video displays used today are raster scandevices. As in a television receiver, the image is transmittedand updated as a sequence of scan lines that cover the en-tire display area with constant velocity. The pixel luminos-ity values in this sequence are a function of the video sig-nal voltage. Vector displays are an alternative technique, inwhich not only the intensity but also the path of a cathode-ray tube electron beam is controlled by the displayed data,however they are hardly used any more.

    The timing of a raster-scan video signal is first of allcharacterized by the pixel clock frequencyfp, which isthe reciprocal of the time in which the electron beam trav-els from the center of one pixel to the center of its rightneighbor. The pixel clock is an integer multiple of boththe horizontal and vertical deflection frequency, that is therate fh = fp/xt at which lines are drawn and the ratefv = fh/yt at which complete frames are built on thescreen. Here,xt andyt are the total width and height of thepixel field that we would get if the electron beam neededno time to jump back to the start of the line or frame. Theactually displayed image on the screen is onlyxd < xt pix-els wide andyd < yt pixels high to leave time to transmit

    synchronization pulses to the monitor and for the electron-beam flyback.

    In order to facilitate the correct factory adjustment of themonitor image geometry over the wide range of differentvideo timings used today, theVideo Electronics StandardsAssociation (VESA)has standardized a collection of exacttiming parameters [9]. These include the 2030 settingsused by most personal computer displays today. An eaves-dropper who has no access to the synchronization impulsesfrom a video signal can use these standard timings as a firstguess of the exact deflection frequencies. Careful additionalfrequency adjustment will be necessary, because the VESAtimings are specified with a tolerance of 0.5%, whereas aneavesdropper has to match the correct frequency with a rel-ative error of less than107 to get a stable image.

    The light emitted by all of the pixels of a CRT togetheris a weighted average of the luminosity of the last few thou-sand pixels that the electron beam addressed. More pre-cisely, the intensityI(t) of the light emitted is equivalent tothe (gamma corrected1) video signalv(t) convolved withthe impulse responseP (t) of the screen phosphor:

    I(t) =

    0

    v(t t)P (t) dt. (3)

    So even if an observer can pick up only the current averageluminosity of a CRT surface, for example by observing witha telescope the diffuse light reflected from nearby walls, fur-niture, or similar objects, this provides her access to a low-pass filtered version of the video signal. Not even curtains,blinds, or windows with etched or frosted glass surfaces as are frequently used to block views into rooms are nec-essarily an effective protection, as the average luminosityinside a room can still leak out.

    As with radio-frequency eavesdropping, an attacker uti-lizes the fact that displayed pixels are updated sequentially,and again the periodic nature of the process can be used toreduce noise and to address individual display units out ofseveral in a room via periodic averaging.

    The light emitted by a cathode-ray tube is generatedwhen the electron beam hits a luminescent substance, calledthephosphor(not to be confused with the chemical elementphosphorous). The measurements described in the next sec-tion show that when the electron beam hits the phosphor ofa bright pixel, the emitted light intensity reaches its max-imum within a single pixel period, and even though the

    1The intensity of the light emitted by the phosphor is up to a satura-tion limit proportional to the electron beam currenti(t), which is typi-cally linked to the video-signal voltagev(t) by a power-law relationshipi(t) (v(t) v0) . The gamma corrected video voltagev(t) i(t)used here is strictly speaking not the actual video voltage supplied by agraphics adapter to the monitor. It is a hypothetical voltage that is propor-tional to the beam current andv(t) = 1 V shall represent the maximumintensity. This way, we can quantify the phosphor impulse response of amonitor without having to measure the beam current.

    4

  • ov