Video eavesdropping demo at CeBIT 2006

If you happen to be at CeBIT 2006 in Hanover this week, don’t miss a little demonstration of compromising video emanations that I developed (Halle 6, Stand A42, booth of GBS). It shows how easily now cheap FPGA DSP evaluation boards can be turned into impressive home-brew eavesdropping devices.

COVISP demonstration setup at CeBIT 2006

The system shown consists of a log-periodic antenna (not on the photo), a Dynamic Sciences R1250 wideband receiver, and an Altera FPGA DSP Development Kit, Stratix II Edition. The FPGA board is the implementation platform for my COVISP-1 (compromising video emanations processor) circuit. It receives the 30 MHz intermediate-frequency output signal from the UHF tuner, samples it with 12-bit resolution at 120 MHz, applies a number of signal-processing steps (AM demodulation, gain control, clipping, blanking), and outputs the result – along with sync-pulses – onto the connected VGA monitor. It implements all the controls necessary to adjust it precisely and comfortably to the video mode of the eavesdropping target, including a video clock synthesizer with a frequency-resolution of about 1 part-per-billion, necessary for accurate synchronization of the image.
The eavesdropping target to which the demo setup is tuned in on the above picture is a PC with a flat-panel display:
Eavesdropping target of COVISP demonstration at CeBIT 2006

It belongs to a nearby Russian stand, is about 25 meters away from our antenna. Its PowerPoint presentation is clearly readable on our eavesdropping system, which managed to isolate this signal from the many hundred PCs located in the same room.

About Markus Kuhn

I'm an Associate Professor at the Department of Computer Science and Technology, working on hardware and signal-processing aspects of computer security.

9 thoughts on “Video eavesdropping demo at CeBIT 2006

  1. Why should the image displayed on the target flat-panel display be passed through a UHF tuner in the first place? Surely that would only be the case if the display were equipped for receiving TV broadcasts and actually being used for this — there seems no particular point in passing output from a computer display card through a UHF stage.
    Or did your description get compressed somehow?

  2. The UHF receiver is only used as a kind of easily adjustable RF band-pass filter in this application. What the target device emits is just a sequence of electromagnetic pulses, one for each 0/1 or 1/0 transition of a wire. There is no modulated carrier signal coming from the eavesdropping target. Think UWB rather than AM. If you do a Fourier transform of a single pulse, it shows frequency content throughout the radio spectrum (up to a top frequency that is roughly the inverse of the pulse width). So if you can afford to look at a bandwidth that is comparable to the bitrate of the signal that you want to eavesdrop, then you can tune your receiver to pretty much any quiet part of the radio spectrum where the pulses that you look for stand out with a good signal-to-noise ratio.

    Things become a bit more complicated if the bandwidth that you look at is much smaller than the pulse rate (here: 20 MHz versus >1 Gbit/s), because now the band-pass filtered pulses start to interfere with each other. The result starts to depend highly on the center-frequency to which you have tuned your band-pass filter (or tuner). Think of a text display with foreground and background colour. Each colour is represented by a characteristic repeating bit pattern on the DVI cable. Think of the Fourier spectrum of such bit signals. Now look in the Fourier spectra of the foreground and background signal for a frequency range where they differ greatly (in the above demo: 500–520 MHz). Tune your band-pass filter there, and after rectification of the result, you will get a high-contrast text image. The optimal tuning frequency now depends on what foreground/background colour combination is used to display the text. It depends of course also on the background spectrum at the location, as well as on the geometry of the transmitting “antenna” (which will also act as a band-pass filter).

    If you are interested in more information: Electromagnetic eavesdropping risks of flat-panel displays, Proceedings PET 2004.

  3. Markus,

    At CambLabs a little while ago you used a Photo Multiplier and a telescope to evasdrop on a display. Presumably the PM output would just as easily drive your software and therby get increased range / sensitivity?

    The second thing, is you should have mentioned that a wideband receiver can easily be made with a Diode Double Balenced Mixer (eg SRA1 from Minicircuits) and a couple of HP or other manufactures Mod Amps (say 10USD). so the whole thing could be very cheaply made 😉

  4. Yes, a better version of my demonstration of optical attacks is on my list of things to do with this FPGA board. The optical eavesdropping experiments that I did five years ago were offline laboratory setups. I used a digital oscilloscope to acquire an averaged image, which I then transfered onto a PC in order to process it in MATLAB (deconvolution, raster conversion, etc.). That takes a few minutes and is therefore not suitable to give a quick demo. The board will finally allow me to give realistic real-time outdoor demonstrations.

    At the moment, the only board of this type that I have is still with the project sponsor, but a second one is already ordered. Simply connecting the existing setup to a photomultiplier should already give a visible signal, but in order to really read text, I will have to add a digital deconvolution filter. There is plenty of space left on the FPGA, so I don’t expect any big problems. However, such deconvolution filters work best if they are applied to a very low-noise signal, therefore I’ll also need periodic-averaging in the COVISP.

    A minor problem may be that this board was really designed for IF signal processing. The A/D converters are connected via transformers that will filter out frequencies below 1 MHz. The lack of DC coupling should not affect text readability, but it may affect the overall image quality.

    Time permitting, I might also build my own wide-band receiver at some point, possibly as a little daughter card to go onto the FPGA development board. I could also reimplement the project on a smaller and cheaper FPGA. Both things combined might lead to a very powerful eavesdropping demonstration for less than £1000 worth of ingredients. There is a bit more on this written up in a recent paper “Eavesdropping attacks on computer displays”.

    Thanks for the component suggestion, I’ll certainly have a look at the data sheet.

  5. Markus,

    One thing you could do is go for a Software Defined Radio design. There are a couple of interesting articals up on the web, and Eric Youngblood actually sells a quite decent SDR kit, that he described in the articals available from,

    http://www.flex-radio.com/articles.htm

    Whilst away for a few days with the family and nothing much better to do whilst out walking I had an idle thought or two 😉 one of which was,

    IF you assume the video signal is actually sampled at the video dot clock rate, then by the process of sampaling the signal energy is spread at multiples of the dot clock all across the radio spectrum (one of which is what you tune into effectivly). However insted of using a conventional receiver why not use a SDR without front end preselection, and drive the sampaling system at the same rate as the dot clock (ie a high speed A-D clocked at the dot clock rate). The result would be to reverse the effect of the dot clock.

    Now on the very loose assumption that it would behave like a channel bank receiver with a common IF, then it would effectivly corelate all the multiples of the video signal giving you (a limited) gain of the wanted video signal whilst other (interfering) signals would benifit less.

    You might well find that instead of needing a wideband receiver all you need is a high speed A-D without analog signal filtering (ie your current board), pre-faced by a high quality amplifier.

    As I said just an idle though whilst my 4 year old son was creating mayhem amongst the wildlife in the countryside where we were walking.

  6. The COVISP is certainly a specialized example of what is now called a “software radio” or “software defined radio” design.

    I had a look at various SDR-frontends designed for HAMs, but all the ones I found so far have IF bandwidths designed for PC audio cards, which is three orders of magnitude narrower than what you need for a video signal. Suitable commercially available SDR tuners with at least 20 MHz BW tend to come so far from military suppliers. The HAM-SDR community is already growing beyond the use of soundcards (e.g., GNU Radio uses a 6 MHz IF BW cable-TV tuner), and it is surely only a matter of time until they also start to play with 20–50 MHz bandwidths.

    If you are interested, there is a more detailed analysis of the spectral composition of a video signal in Section 3.2 of my thesis.

    You are right that in theory you can extract a video signal from an antenna signal using merely periodic averaging. A periodic (85 Hz) video signal will have a comb spectrum where all spectral energy is located exclusively at multiples of 85 Hz (assuming an infinitely long periodic signal), and the entire video-baseband spectrum is repeated throughout the spectrum at intervals that correspond to the pixel clock frequency. The periodic averaging is nothing but a comb filter that attenuates all frequencies in the spectrum that are not a multiple of 85 Hz, thereby eliminating all other noise sources.

    I tried several times to connect an AD converter directly to an antenna amplifier for periodic averaging, but I found that in practice you get very bad results this way. You always need some form of analog preselection before you can digitize an antenna signal. There is simply way too much energy across the entire ADC input band for averaging to become effective. The frequency selectivity of a wideband receiver does in practice offer a dramatic improvement of the achievable signal quality.

  7. Very impressive job Markus.
    Just out of curiosity how much would this “cheap” equipment cost?
    I checked on the net and the R1250 receiver isn’t really available to the public.
    Thanks.

  8. @ Markus,

    It would appear that to bods have applied your “work in progress” to detecting signals from a keyboard.

    http://lasecwww.epfl.ch/keyboard/

    It appears to have created a bit of a flap. And Bruce Schneier has bloged about it,

    http://www.schneier.com/blog/archives/2008/10/remotely_eavesd.html

    I mut admit I do find it quit amusing all in all.

    However that reminds me, you said above it was a work in progress how is it going I must admit I have been looking forward to having a read up about it.

  9. @ Markus,

    If you do get around to building a new preselector / reciever for the card a couple of suggestions for you.

    Due to cost etc most manufactures of ICT equipment do not put enough filtering components in their equipment.

    The result of this is it breaks the EMC/EMI specs (masks) they must meet…

    To solve this problem a lot have resorted to using very very simple Spread Spectrum Techneiques to spread the frequency spurs from their equipment over a larger bandwidth and therby lower the energy per Hertz to get under the EMC/EMI mask…

    Well, if you included an extra double balanced mixer into the system you could re constitute the high energy frequency spurs whilst also (potentialy) reducing other interfering signals…

    This might well give you an effective coding gain of 20dB which would be worth while as it could increase the range of the detecting equipment ten fold…

    Also the use of two front ends and four antennas would be a very worthwhile addition (conect two antennas in X/Y axis via a modern equivalent of the old Radio Direction Finding “goinometer”) the result can be like having a highly directional beam antena without as much physical size. Also as you can steer it electronicaly it could be easily driven from the processing card.

    Both of which might easily turn it from an interesting project to a very serious tool which could attract you funding 😉

Comments are closed.