van Eck Phreaking

[The Grunt]

Couldn't think of anywhere else better to post this, it's very much hardware related but then again not.

I was wondering if anyone here had ever done any experimentation with this, or perhaps even built a working demo.

Basically it is a technique where you use the EM field being generated by a CRT monitor and reorganize the EM "trash" into a very accurate copy of what is being displayed on the monitor. You can find a slightly more complicated definition on google.

I was asking because I am doing my final project in my science class over this. My friend and I and a few other people (we have to have at least 4 in the group, though we will probably just get people who won't do anything) are going to (attempt to) set up a working model in the classroom. We also have to explain EVERYTHING about it... 180 minute presenation...

So yeah back to what this post is for has anyone had any experience with this?

I will be posting the full paper we will have to write and the ppt presentation when we are done. Probably won't be until around May. We haven't even been offically assigned the project yet so we are working pretty far ahead.

[SDK]

I hope you gonna post this ppt on AO when it's done!

[The Grunt]

Originally posted here by SDK
I hope you gonna post this ppt on AO when it's done!

I will be posting the full paper we will have to write and the ppt presentation when we are done

:P

LOL Yeah I will definitly post it. It's really interesting. Not the most practical thing, but certainly has it's place and is quite interesting to any science nerds out there like myself.

[Tim_axe]

Man, that will probably take equipment and processing power that you don't have. I'm not completely sure where in the EM frequency the CRT monitor's electron guns cause their chaos, but either way you'd have to do a fair bit of reconstructing/processing.

It is possible, however it probably isn't cheap. You would probably be better off building a Van De Graaff generator and/or Telsa Coil and a faraday cage for this demonstration, if $$$ is a concern. Or at least use a cell-phone or a pair of walkie-talkies to demonstrate the faraday cage effect, and explain that... Then for the next 3 hours just have people play in it, etc.


But if you are wanting to reconstruct signals, the most cost effective thing to do would be to use a microphone to "listen" to how a computer sounds while the processor does different operations. IE, write a program to loop through i++ loops, other kinds of loops such as disk access and/or memory operations, etc, and record how it sounds and view the waveform. You might be pleasantly supprised at the results... Yes, a processor/motherboard can actually produce distinguishable waveforms depending on the operations being performed. I think someone has done something on this before, and google might uncover it...


Either way, share what you find out. Cheers & Good luck

[nihil]

Hi,

Sorry for being ignorant, but are we talking about TEMPEST and NONSTOP here?

Cheers

[The Grunt]

Originally posted here by nihil
Hi,

Sorry for being ignorant, but are we talking about TEMPEST and NONSTOP here?

Cheers

Not sure about NONSTOP, but this is what the TEMPEST project was all about. In 1985 a guy by the name of van Eck (go figure) released a paper to the public about the idea and the government got all uneasy and started releasing some information about it.

Tim, check out http://eckbox.sourceforge.net . They seem to think it's pretty simple to build. Even if we can't build a working model it's ok, we will find some sort of a way to kind of demonstrate part of it, then outline what we would've needed to do to build the rest of it, and why.

[nihil]

Hmmmmm,

I am sorry, but I will have to tread a bit carefully here...............we have this local legislation called "The Official Secrets Acts 1911-1989 (as amended)"...........afraid I have signed it a few times

Basically TEMPEST is sort of 1950's analogue technology, NONSTOP is the digital successor.........there is stuff after that, but you will not find out about it.

Suggestion...........try google searching for "private investigator tools", "electronic surveillance"...........that sort of stuff.........look at the specs and it might give you some idea of what to do and where to go?



I will have to check, but somewhere I used to have some TEMPEST proof fonts, I will try to find them, but you might get some with google?

[ZT3000]

I don't know how useful this project will be.

Since I think of things in terms of it's practicality, I'd go for the project where you lift data off an LCD cable using some induction ring/clamps like I use on my automobile spark plugs wires to read the number 1 plug firings so I can time the beast.

Somebody in class , invariably, will tell you "Good thing people are changing to LCD monitors". Heh!

I think one reason the government was uneasy in 1985 about the project was because the US government had (still has?) in place a military command and control system linking various organizations, where individual computers (highly protected from outside sources) were dubbed "TEMPEST".

A funny incident writes someone anonymous is:
“One day when I was stationed at Lackland AFB (before we moved to Brooks), I answered the phone and a man on the other end told me that his major was looking through the phone book, and wanted to know what TEMPEST stood for. Being the wet behind the ears two striper that I was, I asked my NCOIC what I should tell the caller. He took the phone, puffed out his chest and told the man that TEMPEST stood for "Tremendously Endowed Men Performing Exciting Sexual Techniques" and hung up. Needless to say, our major got a call from his major very shortly afterwards.”

From an anonymous UK source: "1. GCHQ in the UK is the #1 monitoring place for TEMPEST, they HAVE NOT scaled down any business to do with TEMPEST and now even use their techniques for corporate applications. They are STILL the first port of call of the Ministry of Defence for any queries. 2. The GCHQ standard (BTR) is the bible for the UK Military with regard to installations that may negate TEMPEST emissions, mainly due to good practices and safe areas around antenna and cryptographic equipment, also JSP440 is a watered down version of the standard that also covers computer security which is available to all CIDA's (Installation Design Authorities) within the Ministry. CIDA is one of the main 'businesses' within the MoD. Stories... these I have 'heard' from people in the know and witnessed myself:

Whitehall, London
A Ford Transit van was converted to carry an entire Tempest test kit including antennas and terminals. This was parked on the road outside the building. The antennas were able to pick up the Telephone emissions from all areas of the building, including 'Shielded' areas due to the pre-1970 external telephone wiring, and as all conversations are routed to the local telephone exchange before encoding, this posed a major security threat. Also, static CRT images were reformed on the terminals within the van. (I have also witnessed this whilst attending a TEMPEST course at GCHQ.)

Gibraltar
An old 'story'. There is one main transmission site on Gibraltar where all of the signals to the passing
allied fleets are sent (also submarine signals). These are coded within the building then transmitted via
antenna and satellite. However a number of 'unfriendly' vessels (mainly Russian registered trawlers) were hovering near to the shore by the chain link fence. The comms officer got curios and asked for a TEMPEST check to see if they were picking up any signals. A test proved that the fence was picking up uncoded signals that were emanating from the large capacitors used in th encoding process. The fence then acted as an antenna and the unfriendlies were receiving uncoded signals. The station was closed down immediately.

Interference and Non-intentionally Interception.
Modern digital mobile phones are the current enemy of the UK teams. Mainly as the signal can act as a carrier wave for any radiated signal. Also, it has been noted, that people making Mobile calls at the end of the runway at RNAS Yeovilton can eavesdrop on the tower and pilot conversations. Another 'story' tells how a British Telecom engineer was testing a mast when his laptop screen started to fill up as if the computer was typing. What had actually happened was that the voice recognition software on his laptop had detected the radiated signal from the mast during decoding and regeneration and displayed it on the screen as plain text.

[Tim_axe]

I didn't realize it could be done so cheaply now. I knew that there was a bunch of leaky stuff to pick up signals from, but didn't think it worked its way down to the level it is now. Guess that's what happens in 4 years... :shrug:

You could still do the thing with the Faraday cage and walkie talkies and have the cage be big enough to walk-into. Might be a fun way to tie in what you're explaining, even if it relates to filtering/blocking the signals instead of picking them up. I don't remember the calculations on optimal spacing/thickness to attenuate a paticular frequency, but for something like 802.11b (laptop wifi) at least you could build something based off of a microwave oven's door... Cheers.

[shakeshuck]

Nihil,

Is this the technique that was used by the 'TV detector Vans' in the UK?

(For those from non-UK shores, all TV-receiving equipment in the UK is supposed to be licenced. At one time, vans drove round outside non-licenced properties and tried to detect a TV being used in the house. Rumour has it they could see what you were watching. They don't bother any more, it's now just a computerised list of TV-owners, probably not unlike a subset of Melissa).