[tor-talk] TEMPEST Attacks! LCD Monitor leaks system noise to FRS

jackinthecrack at tormail.org jackinthecrack at tormail.org
Sat Dec 22 08:24:02 UTC 2012


TEMPEST Attacks! LCD Monitor leaks system noise to FRS

This post is one example of why Tor developers should focus on
anti-TEMPEST-ing the Tor Browser, in color, fonts, etc.
===
I don't operate any wireless equipment at my living location. This
includes computers, computer equipment, routers, non-computer equipment,
etc.

I'm having a problem with one of my LCD monitors.

It works without problems. That was until I picked up some heavy static
noises from a hand held radio. I eliminated all sources of generating this
type of noise until I came towards an LCD monitor. When the monitor is on
and there is content on the screen the radio makes several types of
garbage(static) sounds. As I manipulate contents on the screen, maximize
and minimize windows, open different applications, the radio responds with
scratchy(static) noises to match the activity on the screen. This includes
typing and mouse movement.

When I switched the desktop background to a solid black color without
wallpaper, the radio noise went down to almost nothing. But when I loaded
any program with a white background, the noise from the radio exploded in
volume.

When I passed the radio across different computer and non-computer
electronic devices other than the LCD monitor, the wired mouse made a high
pitched squeal sound within the static. None of the other computing
devices such as the tower generated any noise.

I tried CRT monitors and separate computers attached to the CRT monitors
but they did not generate any noise in the radio. On the computer
connected to the net, I unplugged the cable leading to the router to rule
this out but it made no difference, the LCD monitor is at fault.

While monitoring the radio noise, there were several instances where the
noise on the channel being monitored stopped, and I switched to another
channel and the same noise appeared. Why would the noise from the LCD
switch channels during normal use of the LCD? Back and forth throughout
the day the noise generated by the LCD would switch from one channel to
the next and back to the first channel again.

The noise extends several steps within my living location. I'll test this
another day to determine if it extends outside my living location and if
so by how many feet.

The computer/monitor are grounded and attached to a surge protector. I'm
not sure what I need to do to stop this, or if I should ignore it.

I assumed LCDs would be quieter than CRTs when it came to noise.

Unless I have a radio tuned to a specific channel, the LCD does not
generate any noise which I can detect, unless it's above my hearing
capacity.

The LCD monitor also functions as speakers, and while the sound cable is
connected to the tower, I have disabled the onboard sound in my BIOS. The
only other connection is the DVI cable to the tower.

How may I decrease this noise or eliminate it? It seems like the LCD is a
mini radio station. When I turn it off the noise in the radio stops, if I
blacken the screen the noise lessens. When I switch to a colorful
background or load white screened applications like a web browser the
noise jumps up loudly. I've tried grabbing and moving a browser window
around the screen and the movement matches the noises in the radio.

Would any of this be considered normal?
==-
This certainly isn't unheard of, it's because some part of the monitor is
unshielded. The more fix-it stuff is at the top of the following, with the
technical backdrop that just might be good to know is at the bottom.

Unfortunately, the issue is most likely the panel charging the LCs. The
only thing you can do is see if the manufacturer will replace it or
upgrade you. Complain to the manufacturer, be sure to come up with some
important thing it's interfering with(if I recall some medical devices use
some sort of radio).

If the issue is actually internal wiring which is highly unlikely as
detailed below, and it isn't in warranty, attempt to shield it yourself.
To shield it yourself, you'll need thin foil(not kitchen foil) and
electrical tape.

So, in any given monitor, there's 3 main parts. Input, logic, and output.
Output, as previously mentioned, can't really be shielded. To shield both
of the other sections, all you really need to do is manipulate the wiring
to reduce the number of holes in the foil wrap needed to put it all back
together. Obviously this will take some trial and error, and time.


USEFUL INFO THAT ISN'T REQUIRED:

Shielding wires can best be thought of as a encasing a wire in a Faraday
cage, made of foil. If you want to see an example, Apple's iPod charging
cords are all shielded, strip the insulation and see for yourself. This
shielding acts doubly, keeping EM noise from messing with the signal, and
keeps the signal's own noise from leaving.

WHY IT IS THE CHARGING PANEL AND NOT WIRING:
Because of the specific details you provided( bravo to you, the amount of
data provided helped ), I can conclude that the charging panel(the array
of electrodes responsible for producing the image) is putting out the
interference. Three of your observations prove this.

First, you state the noise ceases completely when the monitor is turned
off, which is consistent with it being EM noise.
Second, the noise's perceived pitch changes when the display is
manipulated, which is to be expected, as the electrode charges would
change as the display changes.
Third, a black screen is "quieter" than a white screen. Black is the
lowest charge state, with the only power in use going to the backlight.

As for your questions:
Noise hopping channels isn't unheard of, though I don't know the science
behind it. My best guess is that because the noise isn't an intended
result of the electricity, small changes in voltage/amperage result in
those hops.
(indirect question-ish) The mouse was likely the only other emitter
because it has a fairly high density of wires + it emits light.
===-
@W00t:

What 1s the d1fference between - and where may 1 obta1n the non-k1tchen
"foil" you ment1oned?

The d1sturbances sound l1ke a bugged env1ronment. The squeal com1ng from
one area and/or dev1ce could mean the locat1on of the bug has been found -
and 1 know adding a small dev1ce and/or mod1f1cation to a keyboard and/or
mouse 1s s1mple enough - espec1ally for a quick 1n and out the door type
bugging.

1s there an affordable method of sh1elding the equ1pment while not
violating FCC/TEMPEST laws? Would a simple screen d1mmer attached to the
monitor bring the no1se down? Or would 1t be best to put out the extra
money requ1red by purchas1ng spec1al paint or wallpaper wh1ch blocks RF
signals?

Whether or not 1t's a bug, at this point you are broadcast1ng your
computer mon1tor and 1ts activ1t1es, down to the keyboard and mouse
movements. What 1s the use of using Tor or any other l1ke serv1ce 1f you
are pwned over the a1r waves?
====-
You could use kitchen foil, it's just more unwieldy to work with.

Yes, it could be a bug, I was running under the assumption you had no
reason to believe you were bugged, and if you did you ran bug sweeps. If
you believe you are bugged, you should definitely dismantle things to make
sure a bug isn't simply piggybacking on the same power source.

Dimming the screen would reduce noise, but not completely eliminate it.
=====-
Thanks, W00t.

"Dimming the screen would reduce noise, but not completely eliminate it."

I have modified my browser to function with a black background and my
choice of text colors and unchecked the option for all pages to use their
own colors, so every page I visit is black with my choice of font/links
colors. I'll rescan to determine if this lessens the noise. It's ugly, but
tolerable. Coupled with a black theme for the desktop, including the
background and system wide applications should also help - including
disabling images in the browser.

You mentioned foil. I'm not an electrician, but wouldn't wrapping cords
with foil and finishing the job off with a layer of strong black tape
possibly conduct electricity? Are you suggesting I cover all wires leading
to the computer(s) using this method? Wouldn't they each require special
grounding? How many repeating layers of this and/or other material is
needed? Have you tried "conductive tubing?"

While I want to shield enough to block noisy RF, I don't want to create a
microwave type scenario where RF is contained but it still remains and is
possibly amplified so as to add to the degeneration of my health, if
that's possible.

1. Ferrite beads
2. Split beads
3. Toroids

CONDUCTIVE TUBING & FERRITE SNAP BEAD
http://www.lessemf.com/wiring.html

https://en.wikipedia.org/wiki/Electromagnetic_interference
https://en.wikipedia.org/wiki/Electromagnetic_radiation_and_health
https://en.wikipedia.org/wiki/Electromagnetic_shielding
https://en.wikipedia.org/wiki/EMF_measurement

I could try some or all of the three options above in addition to your
advice? TY
===-
Anyways this reminding me of Van Eck phreaking look it up, some pretty
interesting stuff.

Yep, had the same thought.

Countermeasures are detailed in the article on TEMPEST, the NSA's standard
on spy-proofing digital equipment. One countermeasure involves shielding
the equipment to minimize electromagnetic emissions. Another method,
specifically for video information, scrambles the signals such that the
image is perceptually undisturbed, but the emissions are harder to reverse
engineer into images. Examples of this include low pass filtering fonts
and randomizing the least significant bit of the video data information.
====-
can someone please point me to techie LCD monitor internal guides? If I'm
going to take it apart I'd like to know what to expect. I've read more
about Van Eck and Tempest than anyone can teach me here. Now I'm looking
for LCD guides of what's inside.
===-
To be honest, its not the whats inside the LCD monitor you should be
worrying about if you want to phreak LCD's . You should be worry more
about the RF side of things, and figuring out the spread spectrum clock
signal so you can pick up the signal. Top if off background noise is going
to be bitch when it comes to LCD. Old CRT monitors are way easier to
phreak those thing throw off EM radiation like nobody business.
===-
The noise coming from the LCD monitor is appearing on FRS channels:

- https://en.wikipedia.org/wiki/Family_Radio_Service

It continues for several minutes before it jumps to another channel then
after a few minutes jumps back to the original channel. One of my concerns
is the ability for others to pluck this noise from the air (Van
Eck/TEMPEST) and monitor my activity, or possibly use an attack against
the computer somehow. A recent UN report mentioned a high tech method(s):

* U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software
defined high frequency radio receivers routed through the computer
creating no logs, using no central server and extremely difficult for law
enforcement to intercept."

-
http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf
-
http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

In addition, I don't want my LCD monitor constantly sending monitor and/or
system activity to a FRS channel(s) for others to hear. I choose wired
over wireless for a reason, and there shouldn't be any noise coming from
my LCD monitor and appearing over FRS, unless there is a bug or problem
with the monitor. All of my
CRT systems are silent on FRS.

When I position the radio near different components, the power supply
doesn't emit any noise on FRS, but it could be a problem, I don't know,
I'll move to that once I resolve the LCD monitor problem, unless the PSU
is the problem and not the monitor.

I may take apart the LCD monitor, I'm looking for a good list of what I'll
find if I do.

I peered inside the vents on the top/back left hand side with a strong
flashlight and came across a strange piece of silver tape inside, here's
how I describe it:

OOGGGGGGGGGGGGGGG__

OO = a small thin black material coming out from underneath the silver
piece of tape
GG = the strip of silver tape
__ = the bottom right hand portion of the silver tape is raised enough to
allow a pinky finger entry

The silver tape/material/opening under tape is on the top left corner
inside the monitor. The rest of the length and area inside that I can see
contain no tape or black material. I've seen photos of planted bugs in
people's living spaces and most if not all of the invasive ones are
wrapped/covered in silver foil. I've found no other reason for that strip
and material to be there, but what do I know.
=====
In addition, my CDROM drive light blinks once every second, sometimes with
a second or 1/2 second in between, and I found this:

http://catless.ncl.ac.uk/Risks/19.60.html#subj9

"I'd worry about a Tempest virus that polled a personal computer's
CD-ROM drive to pulse the motor as a signalling method:

* Modern high-speed CD-ROM drive motors are both acoustically and
electrically noisy, giving you two attack methods for the price of one;

* Laptop computer users without CRTs, and the PC users that can afford
large LCD screens instead of CRTs, often have CD-ROM drives;

* Users are getting quite used to sitting patiently while their
CD-ROM drives grind away for no visibly obvious reason (but
that's quite enough about the widespread installs of software from
Microsoft CD-ROMs that prompted Kuhn's investigation in the first place.)"
===-
I don't think there should be anymore blinking if you remove the CD/DVD
inside.
If it keeps blinking, find out which process uses it.
Anyway, you can disable it when you're not using it, if it's bothering you.

And shield your monitor.
http://en.wikipedia.org/wiki/Electromagnetic_shielding
====-
"I don't think there should be anymore blinking if you remove the CD/DVD
inside."

Does Tails support this at boot?

If not, is there a Linux LiveCD which allows this and does not give you
root access at boot?

I've looked at several different distributions which allow you to boot
into RAM and remove the CD, but they all give you root and that's a very
insecure environment to run TBB in!

"If it keeps blinking, find out which process uses it."

It doesn't blink on the several distros which boot into RAM, but I don't
want to run Tor as root or reconfigure the permissions/PAM/etc. just to
use TBB. As above, with Tails and many LiveCDs which don't boot into RAM,
99% of them have this blinking light issue. The actual INSTALLS I've done
to HDD experience constant light activity too, even more so, without
anything to explain them.

For Linux, I've ran rkhunter, chkrootkit, tiger, and other tools and
nothing malicious is found. Without a deep binary analysis I don't know
what else I could do.

For Windows, I use a few programs in the SysInternals Suite and they
display strange usage on the system and reference programs which cannot be
found with a search on the system, references to impersonation, spoofing,
and more. I've ran almost every N.American scanner on the Windows systems,
including command line only rootkit detectors and I've seen some strange
'strings' of binaries mentioned, but have no idea on how to clean the
system.

I prefer to run LiveCDs because all installations, Windows and Linux,
contain unexplainable frenzies of blinking lights, far worse than the
blink every second on most LiveCDs. I'm wondering if this is firmware
malware on my NIC or the CDROM itself. This has existed for years and
never goes away, no matter what system I use, this strange baggage seems
to re-infect everything.

"Anyway, you can disable it when you're not using it, if it's bothering you."

Disable what?

"And shield your monitor."

Thanks. I'm investigating and most of the guides require specific addons
to the computer's cabling system. Most of the guides appear incomplete, or
are in another language other than English.

Any comments on the Tempest/blinking light possibility?

Any comments on why it's spewing out noise to FRS stations and freq hopping?
===-
More comments from elsewhere:

@kb2vxa:

"You're making a mountain out of a mole hill."

I respect your opinion and I don't wish to argue against it, but please
look at it from the way I and some others have. I want to eliminate the
noise created by the LCD monitor. If this was such a common experience, I
would expect at least one of the dozens of other electronic equipment to
generate some noise, however faint, on FRS - but they do not.

"You are under the wrong impression that somehow RF hash from the back
light can somehow carry data. A liquid crystal display (LCD) does not
generate its own light like a CRT or plasma screen and requires a light
source to make the display visible. Even those that do cannot transmit
computer data being none reaches the monitor."

The LCD is connected to a tower, which other devices connect to. Under
testing I've heard the CDROM drive accessing data noises within the FRS
channels, along with mouse movements and keyboard activity, along with
other noises. When I disable the LCD monitor, all of these disturbances
vanish. This means the weakness is in the monitor, and my tower is well
shielded or shielded enough so as not to generate any noise in radios I
can notice. The reference I made to the strange tape and material within
the back side of the LCD monitor at the top could be a sign of some type
of antenna or device for amping.

"Their FRS radios will only hear what yours does, RF hash, no data
whatsoever THAT IS if one is standing outside your house tapping the radio
and scratching his head wondering what's the matter with his radio. You
and only you know what it is and where it's coming from."

And what of experienced and curious sysadmins? Rogue crackers? Bored HAMs?
Are there any remote radio injection attacks against systems? This is
something I'll research later, as I do believe it was mentioned in at
least one whitepaper on side channel attacks.

"Thanks for the chuckles, if the report reveals secrets it would not be
published but sent by secret courier to the KGB in Moscow."

I'm not aware of any secrets revealed within the document. But it did
raise an interesting point without exposing the method(s) delivered to us
from an interesting party. This wasn't just some random article written by
some anonymous, disturbed fellow and posted to a pastebin or conspiracy
minded blog or forum. And one cannot deny the dozens of TEMPEST attacks
available today.

"So... all this and no word on moving the radio farther from the monitor.
Why don't you try talking somewhere besides in front of the computer if it
bothers you so much?"

Thank you for considering conversation as my reason for posting this, but
it is not. I would not choose a noisy channel to talk on. Clear
conversation is not the point of this thread. I desire the elimination of
this garbage coming from the LCD monitor. I don't care if no one in the
world can pick up on it and hear it, I would like to properly resolve it
and not ignore it.

One can also dredge up the subject of EMF on health, too, but I have not
experienced any disturbance of health from exposure to this noise and most
people would argue any possible EMF effects on health to be one of one's
over active imagination and not real world application.

[-]

A continued discussion was posted elsewhere, this may be useful in the
voyage to remove this "noise":

[-]

In addition, my CDROM drive light blinks once every second, sometimes with
a second or 1/2 second in between, and I found this:

[-]

http://catless.ncl.ac.uk/Risks/19.60.html#subj9

"I'd worry about a Tempest virus that polled a personal computer's
CD-ROM drive to pulse the motor as a signalling method:

* Modern high-speed CD-ROM drive motors are both acoustically and
electrically noisy, giving you two attack methods for the price of one;

* Laptop computer users without CRTs, and the PC users that can afford
large LCD screens instead of CRTs, often have CD-ROM drives;

* Users are getting quite used to sitting patiently while their
CD-ROM drives grind away for no visibly obvious reason (but
that's quite enough about the widespread installs of software from
Microsoft CD-ROMs that prompted Kuhn's investigation in the first place.)"

[-]


Any comments on the silver tape and material inside the back of the LCD?

...Disconnection of the LED CDROM and HDD lights could be something I
should do to relieve one possible issue.

[-]

Some articles with examples:

"If everything is just right, you can pick up signals from some distance.
"I was able to eavesdrop certain laptops through three walls," says Kuhn.
"At the CEBIT conference, in 2006, I was able to see the Powerpoint
presentation from a stand 25 metres away."

uhn also mentioned that one laptop was vulnerable because it had metal
hinges that carried the signal of the display cable. I asked if you could
alter a device to make it easier to spy on. "There are a lot of innocuous
modifications you can make to maximise the chance of getting a good
signal," he told me. For example, adding small pieces of wire or cable to
a display could make a big difference.

As for defending against this kind of attack, Kuhn says using
well-shielded cables, certain combinations of colours and making
everything a little fuzzy all work."

-
http://www.newscientist.com/blog/technology/2007/04/seeing-through-walls.html

=!==-!=
TO EASILY VIEW THE PDF files below:
=!==-!=

Online viewer for PDF, PostScript and Word:

"This is an online viewer, with which you can view PDF and PostScript
files as browsable images and Word documents as web pages. Given a URL on
the net or a file on your computer, the viewer will try to retrieve the
document, convert it and show it to you. No plugin software is required."

http://view.samurajdata.se/

The viewer software is open source, licensed under the GNU Public License.
=!==-!=

Electromagnetic eavesdropping risks of flat-panel displays
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf

=

Eavesdropping attacks on computer displays
- http://www.cl.cam.ac.uk/~mgk25/iss2006-tempest.pdf

=

Compromising emanations: eavesdropping risks of computer displays
- http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.html
- http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.pdf

=

Compromising emanations of LCD TV sets
- http://www.cl.cam.ac.uk/~mgk25/emc2011-tv.pdf

=

"Q: Can I use filtered fonts also on flat-panel displays

My experience so far has been that with LCDs, the video cable is the most
significant source of radiated information leakage. Where an analogue
video cable (with 15-pin VGA connector) is used, low-pass filtered fonts
have the same benefits as with CRTs. Where a purely digital video cable is
used (DVI-D, laptop-internal displays with FPD/LVDS links, etc.) only the
last step, namely randomizing the least-significant bits, should be
implemented.

Where the video signal is entirely encoded in digital form, the low-pass
filtered step will not have the desired effect. In fact, it can actually
increase the differences between the signal generated by individual
characters, and thereby make automatic radio character recognition more
reliable."

- http://www.cl.cam.ac.uk/~mgk25/emsec/softtempest-faq.html

=

Remotely Eavesdropping on Keyboards (and read the comments!)

"The researchers from the Security and Cryptography Laboratory at Ecole
Polytechnique Federale de Lausanne are able to capture keystrokes by
monitoring the electromagnetic radiation of PS/2, universal serial bus, or
laptop keyboards. They've outline four separate attack methods, some that
work at a distance of as much as 65 feet from the target.

In one video demonstration, researchers Martin Vuagnoux and Sylvain Pasini
sniff out the the keystrokes typed into a standard keyboard using a large
antenna that's about 20 to 30 feet away in an adjacent room."

- https://www.schneier.com/blog/archives/2008/10/remotely_eavesd.html

=

Video eavesdropping demo at CeBIT 2006
-
http://www.lightbluetouchpaper.org/2006/03/09/video-eavesdropping-demo-at-cebit-2006/

=

Optical Emission Security – Frequently Asked Questions

"Q: What about LEDs?

For devices with RS-232 serial ports, it is customary to provide a status
indicator LED for some of the signal lines (in particular transmit data
and receive data). Often, these LEDs are directly connected to the line
via just a resistor. As a result, anyone with a line of sight to the LED,
some optics and a simple photosensor can see the data stream. Joe Loughry
and David A. Umphress have recently announced a detailed study (submitted
to ACM Transactions on Information and System Security) in which they
tested 39 communications devices with 164 LED indicators, and on 14 of the
tested devices they found serial port data in the LED light. Based on
their findings, it seems reasonable to conclude that LEDs for RS-232 ports
are most likely carrying the data signal today, whereas LEDs on high-speed
data links (LANs, harddisk) do not. Even these LEDs are still available as
a covert channel for malicious software that actively tries to transmit
data optically.

I expect that this paper will cause a number of modem manufacturers to add
a little pulse stretcher (monostable multivibrator) to the LEDs in the
next chip set revision, and that at some facilities with particular
security concerns, the relevant LEDs will be removed or covered with black
tape.

The data traffic on LEDs is not a periodic signal, and therefore, unlike
with video signals, periodic averaging cannot be used to improve the
signal-to-noise ratio. The shot-noise limit estimation technique that I
used to estimate the CRT eavesdropping risk can even more easily (because
no deconvolution is needed) also be applied to serial port indicators and
allows us to estimate a lower bound for the bit-error rate at a given
distance. I have performed a few example calculations and concluded that
with a direct line of sight, and a 100 kbit/s signal (typical for an
external telephone modem), at 500 m distance it should be no problem to
acquire a reliable signal (one wrong bit every 10 megabit), whereas for
indirect reflection from the wall of a dark room, a somewhat more noisy
signal (at least one wrong bit per 10 kilobit) can be expected to be
receivable in a few tens of meters distance.

- http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html

=

Ancient Story on Slashdot: Coming to a Desktop near you: Tempest Capabilities

"New Scientist has an interesting article about a new toy we will all
want. It's a card that plugs in one of your PCI slots and allows you to
scan the EMF spectrum and read your neighbours terminal. In about 5 years
you might be able to get one for just under £1000. (Modern Tempest
Hardware costs about £30000) "

http://www.yro.slashdot.org/story/99/11/08/093250/coming-to-a-desktop-near-you-tempest-capabilities

=

"Any unshielded electrical device with a variable current (including LCDs)
will give out EMF radiation. It's the nature of the beast.

For that matter, light is EMF radiation, so unless you have your LCD in a
coal-mine, it's reflecting EMF all the time it's switched on.

Then, there's the fact that screen monitoring isn't the only monitoring
you can do. I used to use a radio, tuned into the bus for the PET, as a
sound card. Worked surprisingly well, for all that very clunky metal
shielding. What's to stop a much higher-quality receiver from seeing the
data, in an unshielded box, being sent TO the LCD, or to any other device
on the machine?

It's a mistake to assume that Tempest technology is single-function and
that that single-function only works in a single situation."

- http://slashdot.org/comments.pl?sid=2333&cid=1553178

=

800Mbps Wireless Network Made With LED Light Bulbs
-
http://science.slashdot.org/story/11/08/02/1322201/800Mbps-Wireless-Network-Made-With-LED-Light-Bulbs

=

There are a lot of other files, many in PPT format, which can be found
easily on this subject of LCD monitor (and other computing devices)
TEMPEST sniffing.

===

Sources for this discussion:

-
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html
- http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=9&t=10919

.onion link above requires a running Tor client session in order to view.
(https://www.torproject.org)

This on-going discussion backed up to Pastebin(s) in order to retain it as
an artifact. Many of these
types of discussions are REMOVED from the net because of the nature of the
discussion (TEMPEST).



More information about the tor-talk mailing list