Information Leakage from Optical Emanations
Results 1 to 6 of 6

Thread: Information Leakage from Optical Emanations

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    84

    security must read unbelievable !!!!!

    source:http://applied-math.org/optical_tempest.pdf
    now this article is very extensive and legnthy
    just to warn you
    I have cut the article and there is alot of tech jargon missing but feel free to hit the link.

    Information Leakage from Optical Emanations
    JOE LOUGHRY
    Lockheed Martin Space Systems
    and
    DAVID A. UMPHRESS
    Auburn University
    A previously unknown form of compromising emanations has been discovered. LED status
    indicators on data communication equipment, under certain conditions, are shown to carry a
    modulated optical signal that is significantly correlated with information being processed by the
    device. Physical access is not required; the attacker gains access to all data going through the
    device, including plaintext in the case of data encryption systems. Experiments show that it is
    possible to intercept data under realistic conditions at a considerable distance. Many di®erent
    sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable.
    A taxonomy of compromising optical emanations is developed, and design changes are described
    that will successfully block this kind of “Optical Tempest” attack.
    Categories and Subject Descriptors: C.2.0 [Computer Systems Organization]: COMPUTERCOMMUNICATION
    NETWORKS—General, Security and protection (e.g., firewalls); D.4.6
    [Software]: OPERATING SYSTEMS—Security and Protection, Invasive software (e.g., viruses,
    worms, Trojan horses); E.3 [Data]: DATA ENCRYPTION—Code breaking; K.6.5 [Computing
    Milieux]: MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS—Security and
    Protection, Unauthorized Access (e.g., hacking, phreaking)
    General Terms: Compromising emanations, Emissions security, Experimentation
    Additional Key Words and Phrases: Information displays, light emitting diode, LED, fiber optics,
    encryption, compromising emanations, covert channel, communication, COMINT, COMSEC,
    EMSEC, SIGINT, TEMPEST
    1. INTRODUCTION
    Can optical radiation emitted from computer LED (light emitting diode) status
    indicators compromise information security? Data communication equipment, and
    even data encryption devices, sometimes emit modulated optical signals that carry
    enough information for an eavesdropper to reproduce the entire data stream being
    Much of this work was done while the first author was a graduate student in the Department of

    processed by a device. It requires little apparatus, can be done at a considerable
    distance, and is completely undetectable. In e®ect, LED indicators act as little
    free-space optical data transmitters, like fiber optics but without the fiber.
    Experiments conducted on a wide variety of devices show evidence of exploitable
    compromising emanations in 36% of devices tested. With inexpensive apparatus,
    we show it is possible to intercept and read data under realistic conditions from at
    least across the street. In Figure 1, the lower trace shows the §15V EIA/TIA-232-E
    waveform of a serial data signal at 9600 b=s. The upper trace shows modulated
    optical radiation intercepted 5 m from the device. A high correlation is evident.
    We have successfully recovered error-free data at speeds up to 56 kb=s; the physical
    principles involved ought to continue to work up to about 10 Mbits/s. Protecting
    against the threat is relatively straightforward, but may require design changes to
    vulnerable equipment.

    1.1 Paper Organization
    The first part of this paper reviews the idea of compromising emanations, and
    gives an overview of what information is to be found in the literature. Next comes
    a technical explanation of why compromising optical emanations exist, together
    with some of their properties. A series of experiments is then described, along
    with results that were found. Finally, some possible countermeasures are discussed,
    along with directions for future work. Related work on active attacks using optical
    emanations is presented in the appendices.
    2. EMSEC, TEMPEST, AND COMPROMISING EMANATIONS
    Compromising Emanations [National Computer Security Center
    1988]: “Unintentional data-related or intelligence-bearing signals that,
    if intercepted and analyzed, disclose the information transmi[tted], received,
    handled, or otherwise processed by any information processing
    equipment. See TEMPEST.”
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    Information Leakage from Optical Emanations ¢ 3
    Thorough discussion of compromising emanations and EMSEC (emissions security)
    in the open literature is limited. The information that is available tends to
    exhibit a strong bias toward radio frequency (RF) emanations from computers and
    video displays. Because of the high cost of equipment and the di±culty of intercepting
    and exploiting RF emanations, reports of successful attacks against emanations
    have been limited primarily to high-value sources of information such as military
    targets and cryptologic systems. A significant problem is that much important
    information on compromising emanations is classified [Russell and Gangemi 1991],
    although some documents have recently been declassified [National Security Agency
    1992; 1995; 1994].
    2.1 Related Work
    The ability to compromise signals emanating from computers has been known for
    some time. For instance, Smulders [1990] found RF emanations in unshielded or
    poorly shielded serial cables, and van Eck [1985] showed that cathode-ray tube
    video displays can be read at a distance by intercepting and analyzing their RF
    emanations. Others have noted RF compromise, including more contemporary research
    showing ways to hide information in signals emitted by video devices as
    well as specialized fonts that minimize compromising RF emanations [Kuhn and
    Anderson 1998]. Wright [1987] described, anecdotally, the discovery of electrically
    conducted compromising emanations from cipher machines as early as 1960. For
    an excellent overview of the current state of emanations security research, the interested
    reader is referred to the book by Anderson [2001] and a related paper by
    Kuhn and Anderson [1998].
    Very little mention of signals in the optical spectrum was found in the literature.
    Related topics include security of fiber optics [Hodara 1991; EXFO Electro-Optical
    Engineering, Inc. 1999] and optical communications [Wilkins 1641]. Social engineering
    attacks such as “shoulder surfing” and visual surveillance of video displays
    are well covered in [Fites and Kratz 1993]. Free-space optical data links are prone
    to interception, and for this reason wireless data links (both laser and RF) are
    typically encrypted [Lathrop 1992]. But with the exception of a work of fiction, in
    which one character uses the LEDs on a computer keyboard1 to send information
    in Morse code [Stephenson 1999], and inferences from redacted sections of partially
    declassified documents [National Security Agency 1992], a thorough search of the
    literature revealed no direct mention of the risk of interception of data from optical
    emanations of LED status indicators.
    3. COMPROMISING OPTICAL EMANATIONS
    “The [IBM] 360 had walls of lights; in fact, the Model 75 had so many
    that the early serial number machines would blow the console power supply
    if the ‘Lamp Test’ button was pressed.” [Morris 1996]
    3.1 Light-Emitting Diodes
    Light-emitting diodes are cheap, reliable, bright, and ubiquitous. They are used in
    nearly every kind of electronics, anywhere a bright, easy-to-see indicator is needed.
    1See also Appendix A.
    Fig. 2. EIA/TIA-232-E serial data waveform and typical LED response.
    They are especially common in data communication equipment. Every year, some
    20–30 billion LEDs are sold [Perry 1995].
    LEDs are very fast; that is, they exhibit a quick response to changes in the applied
    drive voltage (tens of nanoseconds). In fact, common visible LEDs are fast enough
    that a close cousin is used as a transmitter in fiber optic data links at speeds in
    excess of 100 Mbits/s [Hewlett–Packard Company 1993b].
    Although fast response time is oftentimes a desirable quality in a display, LEDs
    are fast enough to follow the individual bit transitions of a serial data transmission.
    Herein lies the problem: if certain LED indicators are visible to an attacker, even
    from a long distance away, it becomes possible for that person to read all of the
    data going through the device.
    One of the advantages of LED displays is that they can be read from across a
    room. The disadvantage may be that they can be read from across the street.
    3.2 Rationale for the Existence of Compromising Optical Emanations
    The brightness of LED displays would not be a problem if it were not for the
    way they interact with serial data transmissions. Consider the idealized EIA/TIA-
    232-E waveform and associated LED response curve depicted in Figure 2. The
    upper waveform shows the EIA/TIA-232-E serial data signal; the lower waveform
    illustrates the optical output of an LED indicator monitoring that signal. As long
    as the rise time of the LED is less than 1
    2 of the unit interval tUI, the LED will
    accurately enough mirror the EIA/TIA-232-E data signal at the critical points
    shown by the small circles in the diagram to enable recovery of the original data.
    The EIA/TIA-232-E standard (formerly known as RS-232) defines a bit-serial format
    using bipolar encoding and non-return-to-zero–level (NRZ–L) signaling [Electronic
    Industries Association, Engineering Department 1991]. As illustrated in
    Figure 3, bits are transmitted asynchronously, with framing bits embedded in the
    serial data stream for synchronization between sender and receiver. During periods
    when no data are being transmitted, the transmitter remains in the logical
    “1” state. The start of a new symbol is indicated by a momentary excursion to
    the logical “0” state for one unit interval, called the start bit. This is followed by
    a serial waveform consisting of a mutually agreed-upon number of data bits, sent
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    Fig. 3. EIA/TIA-232-E serial data waveform and maximum jitter tolerance from TIA/EIA-404-B.
    least significant bit first. Following the last data bit, the transmitter returns to the
    logical “1” state for at least one unit interval, called the stop bit, in order to provide
    necessary contrast for the receiver to recognize the beginning of the next start bit.
    (Another way of looking at this is that the channel is required to return to the idle
    state for at least one unit interval between characters.)
    EIA/TIA-232-E uses bipolar encoding, with a negative voltage signifying logical
    “1” and a positive voltage used for logical “0” [Black 1996]. Usually, LEDs are
    wired to light up for a logical “0” so that they flicker when bits are transmitted,
    and remain dark when the channel is idle. The fact that the original signal is
    bipolar is immaterial. As long as the LED is fast enough to faithfully reproduce
    the timing of bit transitions, the optical output will contain all of the information
    in the original EIA/TIA-232-E signal.
    LEDs cannot be connected directly to logic circuits, as they would draw too
    much power from the signal source. For reasons of cost, however, the very same
    high-speed gates (usually TTL or CMOS inverters) typically used to construct logic
    circuits are also employed to power the LEDs [Lancaster 1980]. The result is a direct
    path allowing information to flow from the serial data channel to the optical output
    of the LED. Because the monitoring circuit was not designed for the purpose, the
    resulting optical signal may exhibit noise or other degradation, but LEDs and their
    associated driver circuitry are generally more than fast enough to reproduce a serial
    data signal at normal data rates.
    3.2.1 Characteristics of the Optical Signal. NRZ–L signals are susceptible to
    noise, which is why other signaling methods, such as di®erential Manchester encoding,
    are most often used in long-distance digital communication systems. To
    overcome the noise sensitivity of NRZ–L, additional redundancy is often introduced
    into the communication channel in the form of channel encoding [Proakis and Salehi
    1994]. Parity checks, cyclic redundancy checking (CRC), and other error detection
    and correction methods may be used to increase the reliability of the system. But
    it should be noted that these features are also available to an eavesdropper, who
    may use them to overcome the e®ects of a poor optical signal.
    As optical communication systems go, it must be recognized that LED status
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    6 ¢ J. Loughry and D. A. Umphress
    Table I. Proposed classification system for optical emanations.
    Type Correlated to Associated Risk Level
    Class I State of the device Low
    Class II Activity level of the device Medium
    Class III Content (data) High
    displays are highly sub-optimal. There are no beam-forming optics on the transmitting
    LED. The radiant flux available is extremely limited. Bu®er circuits used
    to drive LED indicators, while more than fast enough for their intended purpose,
    are not optimized for high-speed data transmission in the way that special-purpose
    circuits used in fiber optic transmitters are. Practical optical data communication
    systems use laser transmitters, sophisticated encoding schemes, and coherent detectors
    that greatly improve signal recovery under noisy conditions [Gagliardi 1995].
    Our hypothetical eavesdropper would likely have to deal with o®-axis aiming errors,
    high levels of optical background noise from artificial lighting, and lack of a priori
    knowledge of the specific bit rate and word length used by the target. Nevertheless,
    our experiments show that with a sensitive detector and telescopic optics, it is possible
    for an eavesdropper to recover a noisy analog waveform closely approximating
    the original digital data stream. Once the received optical signal has been ampli-
    fied, cleaned of noise, and fed to a USART (Universal Synchronous-Asynchronous
    Receiver-Transmitter)—an inexpensive chip which serves as a ready-made solution
    to the problem of decoding a noisy signal—the original data stream is easily recovered.
    3.2.2 Insensitivity to the Modulation Scheme Employed. High-speed modems
    employ a variety of complicated modulation schemes, including frequency, amplitude,
    and phase modulation to maximize available bandwidth on voice-grade
    telephone lines. But this makes no di®erence—it is the relatively simple NRZ–L
    waveform of the EIA/TIA-232-E data signal that is modulated onto the LED.
    3.2.3 Nonsusceptibility of Other Light Sources. Questions remain as to the susceptibility
    of non-LED sources to interception of compromising optical emanations.
    Liquid crystal (LCD) displays, in particular, exhibit a relatively slow impulse response,
    typically on the order of tens of milliseconds, making these displays relatively
    poor sources of compromising optical emanations, except at fairly low data
    rates. Cathode ray tube (CRT) displays, however, at the pixel level, are very fast,
    and are apparently showing signs of vulnerability2.
    3.3 Classification of Optical Emanations
    It is useful to consider a division of optical emanations into three broad classes
    according to the amount of information potentially carried to an adversary. The
    proposed taxonomy is shown in Table I. In the list that follows, LED indicators
    that exhibit Class n behavior are called Class n indicators.
    The classifications are:
    2The authors have been informed that this is an area of current research.
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    Information Leakage from Optical Emanations ¢ 7
    —Class I indicators, which are unmodulated. The optical emanations put out
    by this type of display are constant, and correlated with the state of a device
    or communication channel. Class I indicators communicate at most one bit of
    information to an observer. An example would be a power-on indicator.
    —Class II indicators are time-modulated, and correlated with the activity level
    of a device or communication channel. Class II indicators provide an adversary
    with considerably more information than Class I indicators do. On face value,
    while the content of the data being processed by a device is not known, the fact
    that something is being transmitted, and a rough idea of where and how much,
    together make possible tra±c analysis of interesting targets. Examples of Class II
    indicators include the Work Station Active light on an IBM 5394 Control Unit,
    activity indicators on Ethernet interfaces, and the front-panel lights of a Cisco
    router. It is important to note that by a®ecting the activity level of a device, and
    hence modulating the output of a Class II indicator, it is possible for an attacker
    to implement a covert timing channel.
    —Class III optical emanations are modulated optical signals that are strongly correlated
    with the content of data being transmitted or received. If the correlation
    is su±ciently good, then from analysis of Class III optical emanations it is possible
    to recover the original data stream. Examples of Class III emanations are
    surprisingly common; the “Transmitted Data” and “Received Data” indicators
    on modems are usually Class III.
    Devices having at least one Class II indicator, but no Class III indicators, are
    called Class II devices; any device having at least one Class III indicator is a Class III
    device. Class III devices are the most interesting.
    Note that in both the Class I and Class II cases, the adversary gets no more
    information than the operator does; the indicator is being used in the manner for
    which it was intended, except that the eavesdropper is unauthorized, and reading
    the information at a distance.
    Class III devices may arise when the designer of a device inadvertently specified
    a Class III indicator where a Class II indicator was needed. It is not clear whether
    there is any situation in which a Class III indicator would be warranted, except in
    the case of an extremely low-speed communication channel, where individual bit
    transitions could be observed by eye and decoded. In most cases the activity of a
    data communication channel occurs too fast for the human eye to follow. In the
    real world, an oscilloscope is a much more useful tool than a Class III indicator.
    Potentially dangerous Class III indicators can be converted to the safer and more
    useful Class II type by the addition of a pulse stretching circuit, as described in
    Section 6 on Countermeasures below.
    4. EAVESDROPPING EXPERIMENTS
    Three series of experiments were run. First, a survey was made of a large number
    of devices, looking for evidence of Class III behavior. Then, long-range testing was
    done on a selection of devices, to prove the feasibility of interception under realistic
    conditions. Finally, examination was made of the internals of several devices, in an
    attempt to understand why these emanations occur.
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    8 ¢ J. Loughry and D. A. Umphress
    4.1 Hypothesis
    The null hypothesis was stated as follows: “It is not possible to recover data from
    optical emanations.” The null hypothesis was disproved by experiment.
    4.2 Experimental Design and Methodology
    A total of 39 devices containing 164 unique LED indicators were identified for this
    study. The devices selected for testing were chosen to represent a wide variety of
    information processing technology, including low-speed and high-speed communication
    devices, local-area network (LAN) and wide-area network (WAN) devices,
    PC and mainframe computers, mass storage devices, and peripherals.
    Prior to commencement of measurements, radiometric readings were taken on
    an optical bench of a standard red LED driven by a square wave signal. These
    measurements were used to establish a baseline. Following this step, each of the
    164 LED indicators identified in the survey was examined for evidence of Class III
    behavior.
    Measurements were made of individual LED indicators by placing a hooded detector
    in contact with each LED. A dual-trace oscilloscope was used to observe the
    signal from the detector. To visualize the corresponding data stream, a breakout
    box was inserted into the data path, with the original data displayed alongside the
    optical signal from the detector.
    The detector used was a high-speed, large-area silicon PIN (Positive–Intrinsic–
    Negative) photodiode with an active area of 1 mm2. The responsivity of this detector
    is 0.45 A/W at a nominal wavelength of 830 nm, with a spectral response of 350–
    1100 nm. The photocurrent from the detector was amplified by a transimpedance
    photodiode amplifier operated in zero-bias mode. Signals were observed with a
    200 MHz digital oscilloscope, and captured for later analysis.
    The bandwidth of the photodiode amplifier is inversely proportional to its gain
    setting; at a gain factor of 107 V/A, the bandwidth of the detector–amplifier system
    is only 10 KHz. Therefore, for most measurements, the amplifier was operated at
    a gain setting of 104 V/A, yielding an overall detector–amplifier system bandwidth
    of 45 KHz, which was marginal, but adequate. For higher-speed measurements,
    the photodiode was connected directly to the input amplifier of the oscilloscope
    and operated in the quadrant IV (photovoltaic) region. Limited sensitivity in this
    configuration is what necessitated placing the detector directly in contact with the
    LED. However, the greatly increased bandwidth of the detector–amplifier system in
    this configuration allowed for examination of very high speed devices for evidence
    of signals in the MHz range.
    4.2.1 Long-Range Testing. Long-range optical eavesdropping experiments were
    conducted with a small number of representative devices. The ANP Model 100
    short-haul modem, Hayes Smartmodem OPTIMA 9600 and 14400, and a Practical
    Peripherals PM14400FXMT fax modem were all examined.
    The same photodetector and amplifier system described in the previous section
    was used. The detector was mounted at the focus of an optical system consisting of
    a 100 mm diameter, f=2:5 converging lens, an aperture stop, and a 650 nm optical
    bandpass filter, chosen to match the spectral output of a standard visible red LED
    [Agilent Technologies 1999].
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    Information Leakage from Optical Emanations ¢ 9
    The device under test was placed a measured distance away, and connected to an
    identical unit at the test station through a length of unshielded twisted pair cable.
    The image from a single LED on the device under test was adjusted to completely
    cover the detector’s active area. Test transmissions were made to each device, and
    the EIA/TIA-232-E waveform and resulting optical signals captured for analysis.
    4.2.2 Experimental Methodology. Three independent variables and one dependent
    variable were identified. The independent variables were: (1) the separation
    distance between the detector and the device under test, (2) the data transmission
    rate, and (3) ambient lighting conditions on the test range. The dependent variable
    was the correlation between the received optical signal and the original EIA/TIA-
    232-E waveform captured at the same time. The independent variables were varied
    according to a formal test matrix. Separation distance was varied from 5 m to 38 m
    (the maximum dimension of the laboratory) in increments of 5 m during the test.
    At each measured distance, test transmissions were made at data rates of 300, 600,
    1200, 2400, 4800, 9600, and 19 200 bits/s.
    For simplicity, symbols in the optical signal were detected by observing the signal’s
    amplitude at one-half of the unit interval after the NRZ–L transition. Because
    this was a proof-of-concept experiment, actual bit-error rates were not measured.
    The optical waveform from the detector amplifier was compared to the original
    EIA/TIA-232-E signal waveform obtained from a breakout box inserted in the
    data path between the data generator and the device under test. After each series
    of measurements over the full range of distances, the ambient lighting conditions
    on the test range were changed. Lighting conditions tested included daylight of-
    fice conditions (i.e., sunlight coming through windows, plus artificial light), normal
    fluorescent o±ce lighting, nighttime o±ce lighting (scattered fluorescent lights plus
    some light entering through windows from the streetlights outside), and a darkened,
    windowless conference room. An optical bandpass filter was used in some tests in
    an attempt to reduce the level of background radiation and determine if detector
    overload was an important factor. All tests were conducted indoors.
    4.3 Experimental Results
    Results of the survey of devices are shown in Table II. Of 39 devices tested, 14
    showed evidence of Class III optical emanations at the tested bit rate.
    4.3.1 Results of the Survey of Devices. Dial-up and leased-line modems were
    found to faithfully broadcast data transmitted and received by the device. Only one
    device of this type did not exhibit Class III emanations: the Practical Peripherals
    PM14400FXMT fax modem. The shortest pulse duration measured from this device
    was 20 ms, even at high data rates.
    None of the LAN interface cards tested, including 10 Mbits/s Ethernet and 16
    Mbits/s Token Ring adapters, were found to broadcast any recognizable data. Examination
    of the data sheet for a chipset used in fiber optic Ethernet devices reveals
    a possible reason for this finding. According to [Hewlett–Packard Company 1993a],
    LED drivers for transmit, receive, and collision indicators are filtered through
    pulse stretching circuits to make their activity more visible. The pulse stretcher
    extends the on-time of LED indicators to a minimum of several milliseconds.

    Time (ms)
    Fig. 4. Degradation of the optical signal with increasing distance from the target Data rate was
    Digital signal processing techniques can help. By using a low-pass filter to isolate
    the 120 Hz component of the received optical signal, low-frequency noise can be
    isolated and subtracted from the optical signal, yielding a new signal without the
    120 Hz component. Results of experiments in this area were very encouraging.
    Experiments using analog electronic filters were also encouraging.
    The limiting factors in long-range interception seem to be the optics and the
    detector–amplifier system. Both a larger aperture and a narrower field of view are
    required. It is believed that, out to a range of at least several hundred meters, the
    optical flux available from a single LED is well within the capability of our detector.
    The response time of a typical LED suggests a practical upper limit on the order
    of 10 Mbits/s. Clearly, however, interception of data at longer ranges and higher
    speeds is feasible.
    6. COUNTERMEASURES
    A contributing factor to the threat of optical interception is a historical tendency to
    locate computers and data communication equipment in environmentally controlled
    “glass houses” which provide no barrier to the escape of optical radiation. Clearly
    this must now be considered a threat.
    Examination of lighted windows of high-rise o±ce buildings in the evening hours
    reveals a rich variety of equipment racks with LED indicators in view. Line-of-sight
    access is surprisingly easy to find. Fortunately, optical emanations are easier to
    contain than RF; opaque materials will shield the radiation e®ectively.
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    Information Leakage from Optical Emanations ¢ 15
    Black tape over the LEDs is e®ective, but inelegant. The best solution to the
    problem is a design change. Status displays could be designed to be deactivated
    when not in use (e®ectively making them Class I), or alternative display technologies
    could be employed, such as LCD and displays, which can be made inherently Class II
    due to their relatively slow impulse response. But many of these other technologies
    (such as CRT displays) are more expensive. LEDs are fast, cheap, and relatively
    low power indicators that can be read from across a room (a significant weakness
    of liquid crystal displays). It is preferable to retain these desirable properties.
    A better solution is presented in Figure 7. The key here is a violation of the
    worst-case jitter tolerance of the serial data communication transmission scheme
    in use [Telecommunications Industry Association 1996]. If the minimum on-time
    of an LED indicator is greater than 1.5 times the unit interval of the current data
    rate3, then an attacker will be unable to recover su±cient information to decode
    the signal. The e®ect is to convert a Class III indicator to Class II. The resulting
    low-pass filter removes a su±cient amount of information from the optical signal
    that an attacker cannot recover the original data from the emanations. The LED
    will flicker in response to a random data signal, and hence will still be useful as a
    Class II activity indicator, but the risk of significant information leakage is reduced.
    More conservatively, the minimum on-time of the LED could be made to be at
    least twice the unit interval; even more conservatively, the minimum o®-time could
    be similarly controlled as well. Most conservatively of all, the minimum on-time
    of the LED should be made to equal the nominal character interval of the current
    data rate, or of the slowest data rate expected. This will guarantee that an attacker
    cannot derive any information from the optical signal other than that a symbol was
    transmitted.
    7. SUMMARY AND CONCLUSIONS
    Modulated optical radiation from LED status indicators appears to be a previously
    unrecognized source of compromising emanations. This vulnerability is exploitable
    at a considerable distance. Primarily, data communication equipment is a®ected,
    although data encryption devices also pose a high risk of information leakage, potentially
    leading to loss of plaintext and encryption keys.
    A taxonomy of optical emanations was developed according to the amount of
    “useful” information available to an attacker. Experiments showed that Class III
    optical emanations, which should never be permitted, were present in 36% of devices
    3or alternatively, the slowest data rate expected
    ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
    16 ¢ J. Loughry and D. A. Umphress
    tested, and data could be read from these devices at a distance of at least 20 m.
    Countermeasures are possible that will convert a vulnerable Class III indicator into
    the safer (but still useful) Class II variety, by means of inserting a pulse stretcher
    into the LED driver circuitry.
    7.1 Conclusions
    Theft of information by interception of optical emanations is necessarily limited
    to one-way—the intruder can only receive information. However, login IDs and
    reusable passwords obtained in this fashion could be used to support a conventional
    attack. As mentioned before, parity checking, CRC values, and other error
    detection and correction features embedded in the data stream are available to the
    eavesdropper too, and can be of great benefit in helping to overcome the e®ects of
    a low-quality optical signal.
    Ironically, it may be the simplest devices—low-speed, obsolete, insignificant parts
    of a network—that provide a gateway for intruders. In our experiments, it was lowspeed
    modems, routers, line drivers, data loggers, and a printer sharing device
    that were found to be the most enthusiastic broadcasters of data. Class III optical
    emanations have been observed in the wild from devices as diverse as TTY-equipped
    payphones in airports and the digital control box of a player piano. Like the
    Purloined Letter, they hide in plain sight: a tangle of remote o±ce connections
    in the corner, a modem sitting next to a PC by the window, or a call-accounting
    system on the PBX.
    My only fear in death is comming back reincarnated.

    \"Would I ever sh*t you?\"
    \"Of course not you are my favorite turd.\"--E5C4P3

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    376
    Thanks, this was a cool article, though I think you are only allowed to quote it, not totaly reproduce it (which I think you did)....just one of those copyrights things....damn lawyers...
    - Jimmy Mac

    Replicants are like any technology, if there not a hazard, its not my problem....

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Nice find. I wonder how practical this would be though.....
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Member
    Join Date
    Feb 2002
    Posts
    84
    sorry about that I will remember that in the future.
    I just wanted to get everything.
    If u would like i will shorten it.
    My only fear in death is comming back reincarnated.

    \"Would I ever sh*t you?\"
    \"Of course not you are my favorite turd.\"--E5C4P3

  5. #5
    Member
    Join Date
    Feb 2002
    Posts
    84
    as far as the practical use mabey u could look on the back of ur pc for a bug sitten over your nic or your routers led.
    I wouldnt doubt some kind of tech is available to utilize this I have seen wierder stuff.
    what if the led emitts a sertain wavelegnth of light or interference that could be intercepted from a remote area.
    also people had to have known about this for a while, i mean come on why would u design something that way and not know about it. think about this and let ur mind wander.
    My only fear in death is comming back reincarnated.

    \"Would I ever sh*t you?\"
    \"Of course not you are my favorite turd.\"--E5C4P3

  6. #6
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    I downloaded the PDF when I saw it from Slashdot... Apparently LAN devices aren't at risk, it's mainly (but not entirely) 56k-and-below modems. I have a DSL modem here, but I highly doubt it is also at risk, given that it is a multi-state LED (red, amber, green) and when it does flash, it's usually not because of information flowing, but rather the status of the modem in regards to training the DSL link.

    At any rate, it's another interesting thing to think about when you make your little cave-of-paranoid-solitude, eh?
    [HvC]Terr: L33T Technical Proficiency

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •