source:http://applied-math.org/optical_tempest.pdf
now this article is very extensive and legnthy
just to warn you
I have cut the article and there is alot of tech jargon missing but feel free to hit the link.

Information Leakage from Optical Emanations
JOE LOUGHRY
Lockheed Martin Space Systems
and
DAVID A. UMPHRESS
Auburn University
A previously unknown form of compromising emanations has been discovered. LED status
indicators on data communication equipment, under certain conditions, are shown to carry a
modulated optical signal that is significantly correlated with information being processed by the
device. Physical access is not required; the attacker gains access to all data going through the
device, including plaintext in the case of data encryption systems. Experiments show that it is
possible to intercept data under realistic conditions at a considerable distance. Many di®erent
sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable.
A taxonomy of compromising optical emanations is developed, and design changes are described
that will successfully block this kind of “Optical Tempest” attack.
Categories and Subject Descriptors: C.2.0 [Computer Systems Organization]: COMPUTERCOMMUNICATION
NETWORKS—General, Security and protection (e.g., firewalls); D.4.6
[Software]: OPERATING SYSTEMS—Security and Protection, Invasive software (e.g., viruses,
worms, Trojan horses); E.3 [Data]: DATA ENCRYPTION—Code breaking; K.6.5 [Computing
Milieux]: MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS—Security and
Protection, Unauthorized Access (e.g., hacking, phreaking)
General Terms: Compromising emanations, Emissions security, Experimentation
Additional Key Words and Phrases: Information displays, light emitting diode, LED, fiber optics,
encryption, compromising emanations, covert channel, communication, COMINT, COMSEC,
EMSEC, SIGINT, TEMPEST
1. INTRODUCTION
Can optical radiation emitted from computer LED (light emitting diode) status
indicators compromise information security? Data communication equipment, and
even data encryption devices, sometimes emit modulated optical signals that carry
enough information for an eavesdropper to reproduce the entire data stream being
Much of this work was done while the first author was a graduate student in the Department of

processed by a device. It requires little apparatus, can be done at a considerable
distance, and is completely undetectable. In e®ect, LED indicators act as little
free-space optical data transmitters, like fiber optics but without the fiber.
Experiments conducted on a wide variety of devices show evidence of exploitable
compromising emanations in 36% of devices tested. With inexpensive apparatus,
we show it is possible to intercept and read data under realistic conditions from at
least across the street. In Figure 1, the lower trace shows the §15V EIA/TIA-232-E
waveform of a serial data signal at 9600 b=s. The upper trace shows modulated
optical radiation intercepted 5 m from the device. A high correlation is evident.
We have successfully recovered error-free data at speeds up to 56 kb=s; the physical
principles involved ought to continue to work up to about 10 Mbits/s. Protecting
against the threat is relatively straightforward, but may require design changes to
vulnerable equipment.

1.1 Paper Organization
The first part of this paper reviews the idea of compromising emanations, and
gives an overview of what information is to be found in the literature. Next comes
a technical explanation of why compromising optical emanations exist, together
with some of their properties. A series of experiments is then described, along
with results that were found. Finally, some possible countermeasures are discussed,
along with directions for future work. Related work on active attacks using optical
emanations is presented in the appendices.
2. EMSEC, TEMPEST, AND COMPROMISING EMANATIONS
Compromising Emanations [National Computer Security Center
1988]: “Unintentional data-related or intelligence-bearing signals that,
if intercepted and analyzed, disclose the information transmi[tted], received,
handled, or otherwise processed by any information processing
equipment. See TEMPEST.”
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
Information Leakage from Optical Emanations ¢ 3
Thorough discussion of compromising emanations and EMSEC (emissions security)
in the open literature is limited. The information that is available tends to
exhibit a strong bias toward radio frequency (RF) emanations from computers and
video displays. Because of the high cost of equipment and the di±culty of intercepting
and exploiting RF emanations, reports of successful attacks against emanations
have been limited primarily to high-value sources of information such as military
targets and cryptologic systems. A significant problem is that much important
information on compromising emanations is classified [Russell and Gangemi 1991],
although some documents have recently been declassified [National Security Agency
1992; 1995; 1994].
2.1 Related Work
The ability to compromise signals emanating from computers has been known for
some time. For instance, Smulders [1990] found RF emanations in unshielded or
poorly shielded serial cables, and van Eck [1985] showed that cathode-ray tube
video displays can be read at a distance by intercepting and analyzing their RF
emanations. Others have noted RF compromise, including more contemporary research
showing ways to hide information in signals emitted by video devices as
well as specialized fonts that minimize compromising RF emanations [Kuhn and
Anderson 1998]. Wright [1987] described, anecdotally, the discovery of electrically
conducted compromising emanations from cipher machines as early as 1960. For
an excellent overview of the current state of emanations security research, the interested
reader is referred to the book by Anderson [2001] and a related paper by
Kuhn and Anderson [1998].
Very little mention of signals in the optical spectrum was found in the literature.
Related topics include security of fiber optics [Hodara 1991; EXFO Electro-Optical
Engineering, Inc. 1999] and optical communications [Wilkins 1641]. Social engineering
attacks such as “shoulder surfing” and visual surveillance of video displays
are well covered in [Fites and Kratz 1993]. Free-space optical data links are prone
to interception, and for this reason wireless data links (both laser and RF) are
typically encrypted [Lathrop 1992]. But with the exception of a work of fiction, in
which one character uses the LEDs on a computer keyboard1 to send information
in Morse code [Stephenson 1999], and inferences from redacted sections of partially
declassified documents [National Security Agency 1992], a thorough search of the
literature revealed no direct mention of the risk of interception of data from optical
emanations of LED status indicators.
3. COMPROMISING OPTICAL EMANATIONS
“The [IBM] 360 had walls of lights; in fact, the Model 75 had so many
that the early serial number machines would blow the console power supply
if the ‘Lamp Test’ button was pressed.” [Morris 1996]
3.1 Light-Emitting Diodes
Light-emitting diodes are cheap, reliable, bright, and ubiquitous. They are used in
nearly every kind of electronics, anywhere a bright, easy-to-see indicator is needed.
1See also Appendix A.
Fig. 2. EIA/TIA-232-E serial data waveform and typical LED response.
They are especially common in data communication equipment. Every year, some
20–30 billion LEDs are sold [Perry 1995].
LEDs are very fast; that is, they exhibit a quick response to changes in the applied
drive voltage (tens of nanoseconds). In fact, common visible LEDs are fast enough
that a close cousin is used as a transmitter in fiber optic data links at speeds in
excess of 100 Mbits/s [Hewlett–Packard Company 1993b].
Although fast response time is oftentimes a desirable quality in a display, LEDs
are fast enough to follow the individual bit transitions of a serial data transmission.
Herein lies the problem: if certain LED indicators are visible to an attacker, even
from a long distance away, it becomes possible for that person to read all of the
data going through the device.
One of the advantages of LED displays is that they can be read from across a
room. The disadvantage may be that they can be read from across the street.
3.2 Rationale for the Existence of Compromising Optical Emanations
The brightness of LED displays would not be a problem if it were not for the
way they interact with serial data transmissions. Consider the idealized EIA/TIA-
232-E waveform and associated LED response curve depicted in Figure 2. The
upper waveform shows the EIA/TIA-232-E serial data signal; the lower waveform
illustrates the optical output of an LED indicator monitoring that signal. As long
as the rise time of the LED is less than 1
2 of the unit interval tUI, the LED will
accurately enough mirror the EIA/TIA-232-E data signal at the critical points
shown by the small circles in the diagram to enable recovery of the original data.
The EIA/TIA-232-E standard (formerly known as RS-232) defines a bit-serial format
using bipolar encoding and non-return-to-zero–level (NRZ–L) signaling [Electronic
Industries Association, Engineering Department 1991]. As illustrated in
Figure 3, bits are transmitted asynchronously, with framing bits embedded in the
serial data stream for synchronization between sender and receiver. During periods
when no data are being transmitted, the transmitter remains in the logical
“1” state. The start of a new symbol is indicated by a momentary excursion to
the logical “0” state for one unit interval, called the start bit. This is followed by
a serial waveform consisting of a mutually agreed-upon number of data bits, sent
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
Fig. 3. EIA/TIA-232-E serial data waveform and maximum jitter tolerance from TIA/EIA-404-B.
least significant bit first. Following the last data bit, the transmitter returns to the
logical “1” state for at least one unit interval, called the stop bit, in order to provide
necessary contrast for the receiver to recognize the beginning of the next start bit.
(Another way of looking at this is that the channel is required to return to the idle
state for at least one unit interval between characters.)
EIA/TIA-232-E uses bipolar encoding, with a negative voltage signifying logical
“1” and a positive voltage used for logical “0” [Black 1996]. Usually, LEDs are
wired to light up for a logical “0” so that they flicker when bits are transmitted,
and remain dark when the channel is idle. The fact that the original signal is
bipolar is immaterial. As long as the LED is fast enough to faithfully reproduce
the timing of bit transitions, the optical output will contain all of the information
in the original EIA/TIA-232-E signal.
LEDs cannot be connected directly to logic circuits, as they would draw too
much power from the signal source. For reasons of cost, however, the very same
high-speed gates (usually TTL or CMOS inverters) typically used to construct logic
circuits are also employed to power the LEDs [Lancaster 1980]. The result is a direct
path allowing information to flow from the serial data channel to the optical output
of the LED. Because the monitoring circuit was not designed for the purpose, the
resulting optical signal may exhibit noise or other degradation, but LEDs and their
associated driver circuitry are generally more than fast enough to reproduce a serial
data signal at normal data rates.
3.2.1 Characteristics of the Optical Signal. NRZ–L signals are susceptible to
noise, which is why other signaling methods, such as di®erential Manchester encoding,
are most often used in long-distance digital communication systems. To
overcome the noise sensitivity of NRZ–L, additional redundancy is often introduced
into the communication channel in the form of channel encoding [Proakis and Salehi
1994]. Parity checks, cyclic redundancy checking (CRC), and other error detection
and correction methods may be used to increase the reliability of the system. But
it should be noted that these features are also available to an eavesdropper, who
may use them to overcome the e®ects of a poor optical signal.
As optical communication systems go, it must be recognized that LED status
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
6 ¢ J. Loughry and D. A. Umphress
Table I. Proposed classification system for optical emanations.
Type Correlated to Associated Risk Level
Class I State of the device Low
Class II Activity level of the device Medium
Class III Content (data) High
displays are highly sub-optimal. There are no beam-forming optics on the transmitting
LED. The radiant flux available is extremely limited. Bu®er circuits used
to drive LED indicators, while more than fast enough for their intended purpose,
are not optimized for high-speed data transmission in the way that special-purpose
circuits used in fiber optic transmitters are. Practical optical data communication
systems use laser transmitters, sophisticated encoding schemes, and coherent detectors
that greatly improve signal recovery under noisy conditions [Gagliardi 1995].
Our hypothetical eavesdropper would likely have to deal with o®-axis aiming errors,
high levels of optical background noise from artificial lighting, and lack of a priori
knowledge of the specific bit rate and word length used by the target. Nevertheless,
our experiments show that with a sensitive detector and telescopic optics, it is possible
for an eavesdropper to recover a noisy analog waveform closely approximating
the original digital data stream. Once the received optical signal has been ampli-
fied, cleaned of noise, and fed to a USART (Universal Synchronous-Asynchronous
Receiver-Transmitter)—an inexpensive chip which serves as a ready-made solution
to the problem of decoding a noisy signal—the original data stream is easily recovered.
3.2.2 Insensitivity to the Modulation Scheme Employed. High-speed modems
employ a variety of complicated modulation schemes, including frequency, amplitude,
and phase modulation to maximize available bandwidth on voice-grade
telephone lines. But this makes no di®erence—it is the relatively simple NRZ–L
waveform of the EIA/TIA-232-E data signal that is modulated onto the LED.
3.2.3 Nonsusceptibility of Other Light Sources. Questions remain as to the susceptibility
of non-LED sources to interception of compromising optical emanations.
Liquid crystal (LCD) displays, in particular, exhibit a relatively slow impulse response,
typically on the order of tens of milliseconds, making these displays relatively
poor sources of compromising optical emanations, except at fairly low data
rates. Cathode ray tube (CRT) displays, however, at the pixel level, are very fast,
and are apparently showing signs of vulnerability2.
3.3 Classification of Optical Emanations
It is useful to consider a division of optical emanations into three broad classes
according to the amount of information potentially carried to an adversary. The
proposed taxonomy is shown in Table I. In the list that follows, LED indicators
that exhibit Class n behavior are called Class n indicators.
The classifications are:
2The authors have been informed that this is an area of current research.
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
Information Leakage from Optical Emanations ¢ 7
—Class I indicators, which are unmodulated. The optical emanations put out
by this type of display are constant, and correlated with the state of a device
or communication channel. Class I indicators communicate at most one bit of
information to an observer. An example would be a power-on indicator.
—Class II indicators are time-modulated, and correlated with the activity level
of a device or communication channel. Class II indicators provide an adversary
with considerably more information than Class I indicators do. On face value,
while the content of the data being processed by a device is not known, the fact
that something is being transmitted, and a rough idea of where and how much,
together make possible tra±c analysis of interesting targets. Examples of Class II
indicators include the Work Station Active light on an IBM 5394 Control Unit,
activity indicators on Ethernet interfaces, and the front-panel lights of a Cisco
router. It is important to note that by a®ecting the activity level of a device, and
hence modulating the output of a Class II indicator, it is possible for an attacker
to implement a covert timing channel.
—Class III optical emanations are modulated optical signals that are strongly correlated
with the content of data being transmitted or received. If the correlation
is su±ciently good, then from analysis of Class III optical emanations it is possible
to recover the original data stream. Examples of Class III emanations are
surprisingly common; the “Transmitted Data” and “Received Data” indicators
on modems are usually Class III.
Devices having at least one Class II indicator, but no Class III indicators, are
called Class II devices; any device having at least one Class III indicator is a Class III
device. Class III devices are the most interesting.
Note that in both the Class I and Class II cases, the adversary gets no more
information than the operator does; the indicator is being used in the manner for
which it was intended, except that the eavesdropper is unauthorized, and reading
the information at a distance.
Class III devices may arise when the designer of a device inadvertently specified
a Class III indicator where a Class II indicator was needed. It is not clear whether
there is any situation in which a Class III indicator would be warranted, except in
the case of an extremely low-speed communication channel, where individual bit
transitions could be observed by eye and decoded. In most cases the activity of a
data communication channel occurs too fast for the human eye to follow. In the
real world, an oscilloscope is a much more useful tool than a Class III indicator.
Potentially dangerous Class III indicators can be converted to the safer and more
useful Class II type by the addition of a pulse stretching circuit, as described in
Section 6 on Countermeasures below.
4. EAVESDROPPING EXPERIMENTS
Three series of experiments were run. First, a survey was made of a large number
of devices, looking for evidence of Class III behavior. Then, long-range testing was
done on a selection of devices, to prove the feasibility of interception under realistic
conditions. Finally, examination was made of the internals of several devices, in an
attempt to understand why these emanations occur.
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
8 ¢ J. Loughry and D. A. Umphress
4.1 Hypothesis
The null hypothesis was stated as follows: “It is not possible to recover data from
optical emanations.” The null hypothesis was disproved by experiment.
4.2 Experimental Design and Methodology
A total of 39 devices containing 164 unique LED indicators were identified for this
study. The devices selected for testing were chosen to represent a wide variety of
information processing technology, including low-speed and high-speed communication
devices, local-area network (LAN) and wide-area network (WAN) devices,
PC and mainframe computers, mass storage devices, and peripherals.
Prior to commencement of measurements, radiometric readings were taken on
an optical bench of a standard red LED driven by a square wave signal. These
measurements were used to establish a baseline. Following this step, each of the
164 LED indicators identified in the survey was examined for evidence of Class III
behavior.
Measurements were made of individual LED indicators by placing a hooded detector
in contact with each LED. A dual-trace oscilloscope was used to observe the
signal from the detector. To visualize the corresponding data stream, a breakout
box was inserted into the data path, with the original data displayed alongside the
optical signal from the detector.
The detector used was a high-speed, large-area silicon PIN (Positive–Intrinsic–
Negative) photodiode with an active area of 1 mm2. The responsivity of this detector
is 0.45 A/W at a nominal wavelength of 830 nm, with a spectral response of 350–
1100 nm. The photocurrent from the detector was amplified by a transimpedance
photodiode amplifier operated in zero-bias mode. Signals were observed with a
200 MHz digital oscilloscope, and captured for later analysis.
The bandwidth of the photodiode amplifier is inversely proportional to its gain
setting; at a gain factor of 107 V/A, the bandwidth of the detector–amplifier system
is only 10 KHz. Therefore, for most measurements, the amplifier was operated at
a gain setting of 104 V/A, yielding an overall detector–amplifier system bandwidth
of 45 KHz, which was marginal, but adequate. For higher-speed measurements,
the photodiode was connected directly to the input amplifier of the oscilloscope
and operated in the quadrant IV (photovoltaic) region. Limited sensitivity in this
configuration is what necessitated placing the detector directly in contact with the
LED. However, the greatly increased bandwidth of the detector–amplifier system in
this configuration allowed for examination of very high speed devices for evidence
of signals in the MHz range.
4.2.1 Long-Range Testing. Long-range optical eavesdropping experiments were
conducted with a small number of representative devices. The ANP Model 100
short-haul modem, Hayes Smartmodem OPTIMA 9600 and 14400, and a Practical
Peripherals PM14400FXMT fax modem were all examined.
The same photodetector and amplifier system described in the previous section
was used. The detector was mounted at the focus of an optical system consisting of
a 100 mm diameter, f=2:5 converging lens, an aperture stop, and a 650 nm optical
bandpass filter, chosen to match the spectral output of a standard visible red LED
[Agilent Technologies 1999].
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
Information Leakage from Optical Emanations ¢ 9
The device under test was placed a measured distance away, and connected to an
identical unit at the test station through a length of unshielded twisted pair cable.
The image from a single LED on the device under test was adjusted to completely
cover the detector’s active area. Test transmissions were made to each device, and
the EIA/TIA-232-E waveform and resulting optical signals captured for analysis.
4.2.2 Experimental Methodology. Three independent variables and one dependent
variable were identified. The independent variables were: (1) the separation
distance between the detector and the device under test, (2) the data transmission
rate, and (3) ambient lighting conditions on the test range. The dependent variable
was the correlation between the received optical signal and the original EIA/TIA-
232-E waveform captured at the same time. The independent variables were varied
according to a formal test matrix. Separation distance was varied from 5 m to 38 m
(the maximum dimension of the laboratory) in increments of 5 m during the test.
At each measured distance, test transmissions were made at data rates of 300, 600,
1200, 2400, 4800, 9600, and 19 200 bits/s.
For simplicity, symbols in the optical signal were detected by observing the signal’s
amplitude at one-half of the unit interval after the NRZ–L transition. Because
this was a proof-of-concept experiment, actual bit-error rates were not measured.
The optical waveform from the detector amplifier was compared to the original
EIA/TIA-232-E signal waveform obtained from a breakout box inserted in the
data path between the data generator and the device under test. After each series
of measurements over the full range of distances, the ambient lighting conditions
on the test range were changed. Lighting conditions tested included daylight of-
fice conditions (i.e., sunlight coming through windows, plus artificial light), normal
fluorescent o±ce lighting, nighttime o±ce lighting (scattered fluorescent lights plus
some light entering through windows from the streetlights outside), and a darkened,
windowless conference room. An optical bandpass filter was used in some tests in
an attempt to reduce the level of background radiation and determine if detector
overload was an important factor. All tests were conducted indoors.
4.3 Experimental Results
Results of the survey of devices are shown in Table II. Of 39 devices tested, 14
showed evidence of Class III optical emanations at the tested bit rate.
4.3.1 Results of the Survey of Devices. Dial-up and leased-line modems were
found to faithfully broadcast data transmitted and received by the device. Only one
device of this type did not exhibit Class III emanations: the Practical Peripherals
PM14400FXMT fax modem. The shortest pulse duration measured from this device
was 20 ms, even at high data rates.
None of the LAN interface cards tested, including 10 Mbits/s Ethernet and 16
Mbits/s Token Ring adapters, were found to broadcast any recognizable data. Examination
of the data sheet for a chipset used in fiber optic Ethernet devices reveals
a possible reason for this finding. According to [Hewlett–Packard Company 1993a],
LED drivers for transmit, receive, and collision indicators are filtered through
pulse stretching circuits to make their activity more visible. The pulse stretcher
extends the on-time of LED indicators to a minimum of several milliseconds.

Time (ms)
Fig. 4. Degradation of the optical signal with increasing distance from the target Data rate was
Digital signal processing techniques can help. By using a low-pass filter to isolate
the 120 Hz component of the received optical signal, low-frequency noise can be
isolated and subtracted from the optical signal, yielding a new signal without the
120 Hz component. Results of experiments in this area were very encouraging.
Experiments using analog electronic filters were also encouraging.
The limiting factors in long-range interception seem to be the optics and the
detector–amplifier system. Both a larger aperture and a narrower field of view are
required. It is believed that, out to a range of at least several hundred meters, the
optical flux available from a single LED is well within the capability of our detector.
The response time of a typical LED suggests a practical upper limit on the order
of 10 Mbits/s. Clearly, however, interception of data at longer ranges and higher
speeds is feasible.
6. COUNTERMEASURES
A contributing factor to the threat of optical interception is a historical tendency to
locate computers and data communication equipment in environmentally controlled
“glass houses” which provide no barrier to the escape of optical radiation. Clearly
this must now be considered a threat.
Examination of lighted windows of high-rise o±ce buildings in the evening hours
reveals a rich variety of equipment racks with LED indicators in view. Line-of-sight
access is surprisingly easy to find. Fortunately, optical emanations are easier to
contain than RF; opaque materials will shield the radiation e®ectively.
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
Information Leakage from Optical Emanations ¢ 15
Black tape over the LEDs is e®ective, but inelegant. The best solution to the
problem is a design change. Status displays could be designed to be deactivated
when not in use (e®ectively making them Class I), or alternative display technologies
could be employed, such as LCD and displays, which can be made inherently Class II
due to their relatively slow impulse response. But many of these other technologies
(such as CRT displays) are more expensive. LEDs are fast, cheap, and relatively
low power indicators that can be read from across a room (a significant weakness
of liquid crystal displays). It is preferable to retain these desirable properties.
A better solution is presented in Figure 7. The key here is a violation of the
worst-case jitter tolerance of the serial data communication transmission scheme
in use [Telecommunications Industry Association 1996]. If the minimum on-time
of an LED indicator is greater than 1.5 times the unit interval of the current data
rate3, then an attacker will be unable to recover su±cient information to decode
the signal. The e®ect is to convert a Class III indicator to Class II. The resulting
low-pass filter removes a su±cient amount of information from the optical signal
that an attacker cannot recover the original data from the emanations. The LED
will flicker in response to a random data signal, and hence will still be useful as a
Class II activity indicator, but the risk of significant information leakage is reduced.
More conservatively, the minimum on-time of the LED could be made to be at
least twice the unit interval; even more conservatively, the minimum o®-time could
be similarly controlled as well. Most conservatively of all, the minimum on-time
of the LED should be made to equal the nominal character interval of the current
data rate, or of the slowest data rate expected. This will guarantee that an attacker
cannot derive any information from the optical signal other than that a symbol was
transmitted.
7. SUMMARY AND CONCLUSIONS
Modulated optical radiation from LED status indicators appears to be a previously
unrecognized source of compromising emanations. This vulnerability is exploitable
at a considerable distance. Primarily, data communication equipment is a®ected,
although data encryption devices also pose a high risk of information leakage, potentially
leading to loss of plaintext and encryption keys.
A taxonomy of optical emanations was developed according to the amount of
“useful” information available to an attacker. Experiments showed that Class III
optical emanations, which should never be permitted, were present in 36% of devices
3or alternatively, the slowest data rate expected
ACM Transactions on Information and System Security, Vol. ?, No. ?, Month Year.
16 ¢ J. Loughry and D. A. Umphress
tested, and data could be read from these devices at a distance of at least 20 m.
Countermeasures are possible that will convert a vulnerable Class III indicator into
the safer (but still useful) Class II variety, by means of inserting a pulse stretcher
into the LED driver circuitry.
7.1 Conclusions
Theft of information by interception of optical emanations is necessarily limited
to one-way—the intruder can only receive information. However, login IDs and
reusable passwords obtained in this fashion could be used to support a conventional
attack. As mentioned before, parity checking, CRC values, and other error
detection and correction features embedded in the data stream are available to the
eavesdropper too, and can be of great benefit in helping to overcome the e®ects of
a low-quality optical signal.
Ironically, it may be the simplest devices—low-speed, obsolete, insignificant parts
of a network—that provide a gateway for intruders. In our experiments, it was lowspeed
modems, routers, line drivers, data loggers, and a printer sharing device
that were found to be the most enthusiastic broadcasters of data. Class III optical
emanations have been observed in the wild from devices as diverse as TTY-equipped
payphones in airports and the digital control box of a player piano. Like the
Purloined Letter, they hide in plain sight: a tangle of remote o±ce connections
in the corner, a modem sitting next to a PC by the window, or a call-accounting
system on the PBX.