Software Tempest: covert data transmission using electromagnetic radiation.

Software Tempest: covert data transmission using electromagnetic radiation.

Software Tempest:
Covert Communications Using Electromagnetic Radiation

Marcus G. Kuhn and Ross J. Anderson (University of Cambridge Computer Laboratory, UK)

Table of Contents

1. Introduction

2. Shortwave Audio Transmissions

3. A Receiver for Intercepting Video Displays

4. Hiding Information in Jitter Patterns

5. Broadband Transmissions

6. A New Defense: Tempest Fonts

7. Conclusions

Bibliography

1. Introduction

Since at least the early 1960s, military organizations have known that computers emit electromagnetic radiation that not only interferes with radio reception but also leaks information about the data being processed. Commonly referred to as incriminating radiation, this phenomenon has also come to be known as Tempest radiation, after the code name of a classified U.S. government research program. Electromagnetic data leaks have become a serious concern in the development of sensitive computer applications.

In his book Spycatcher [7], former MI5 scientist Peter Wright tells the story of the early Tempest attacks on encryption equipment. In 1960, Britain was negotiating to join the European Economic Community, and the Prime Minister was worried that French President De Gaulle would block Britain's entry. So he asked the intelligence community to establish France's position in the negotiations.

Intelligence tried to break the French diplomatic cipher, but without success. However, Wright and his assistant Tony Sale noticed that the encrypted traffic carried a weak secondary signal. They designed equipment to recover the signal. It turned out to be plaintext that was somehow leaking through the encryptor.

Today, government systems are protected by expensive metal shielding of individual devices, rooms, and sometimes entire buildings [14].

Even within a shielded room, the red/black separation principle is followed: red equipment carrying sensitive data (such as computer terminals) must be separated by filters and screens from black equipment (such as radio modems) processing or transmitting non-sensitive information.

Equipment that is simultaneously connected to «red» and «black» devices, such as encryption equipment or multi-level workstations, requires particularly thorough testing. The American standard NACSIM 5100A, which sets out test requirements for Tempest-protected equipment, and its NATO equivalent AMSG 720B are classified documents [b].

In Germany, even the names of government standards for compromising radiation are kept secret.
Therefore, one can only fantasize about the measurement technologies used in Tempest tests. However, the data in published patents [12, 13] give grounds to believe that the instruments used are orders of magnitude more sensitive than those used in standard electromagnetic compatibility (EMC) and radio frequency interference (RFI) tests.

Some tests involve long-term cross-correlation measurements between signals picked up inside the system under study and noise and distorted signals received from external sources, including not only antennas but also power lines, grounds, peripherals, and network cables. Even microphones can be suitable sensors, especially when testing equipment such as line printers. By averaging correlation values ​​over millions of samples, even very weak traces of the information being processed can be detected in electrical, electromagnetic, and even acoustic emissions.

Similar techniques of averaging and correlation can be used for attacks when the signal is periodic or its structure is generally understood. Video display controllers periodically output the contents of the frame buffer to the monitor and are thus an attractive target for attacks, especially when the video signal is amplified to several hundred volts for a cathode ray tube (CRT). A special bug — software that an attacker can implant in the system — can also generate periodic or pseudo-periodic signals that are easily detected. Knowledge of the type of fonts used in video displays and printers allows, based on the maximum likelihood technique, to obtain a better signal-to-noise ratio for whole characters than is possible for individual pixel characters.

A similar technique can be used to «probe» CPUs that execute known algorithms. Even if the signals generated by individual instructions are lost in noise, correlation methods can isolate the execution of a known set of instructions.

In the work of Bovenlander [8] it is described how for a smart card implementing the DES algorithm, a cryptographic operation is identified by the power consumption when a certain pattern is repeated sixteen times.

Similar attacks are also known for the case when the attacker has the ability to detect the processor's intention to write data to the EPROM based on power consumption. For example, you can enter a PIN to be tested, track the power consumption to see that it is not suitable, and reboot before the input attempt counter updates its value. In this way, you can bypass the PIN testing threshold.

The first publication about Tempest in the open press [1] appeared in Swedish in 1983. However, the problem was brought to wider public attention by a 1985 article [2], in which Wim Van Eck demonstrated in practice that the contents of a display screen can be reconstructed from a distance using cheap, non-professional equipment — a regular TV set in which the clock generators are replaced by manually controlled oscillators.

His results were later confirmed by Møller, Bernstein and Kohlberg, whose work also discusses various shielding methods [5].

Smulders showed that it is often possible to intercept even signals from shielded RS-232 cables [4].

The connecting cables form resonant circuits consisting of the inductance of the cable and the capacitance between the device and ground; these circuits are excited by the high-frequency components of the data signal, and the resulting high-frequency oscillations emit electromagnetic waves.

It is assumed that an intruder armed with fairly simple radio equipment and standing near an ATM can register both the signals from the magnetic stripe and the PIN data of users, since the card reader and keypad are usually connected to the CPU via serial lines.

A similar danger arises from the mutual exchange of signals between parallel cables. For example, network data has been demonstrated to be recovered from a telephone line, with the telephone cable running next to a computer network cable for only two meters [15]. Another danger comes from «active» attacks: an attacker who knows the resonant frequency of, say, a personal computer keyboard cable can irradiate it at this frequency and then register keystroke codes in the retransmitted resonant signal due to the impedance changes they cause [16].

Given the interest generated by the publication of Van Eck's discoveries [3], and the enormous costs of shielding that are typical in the diplomatic and military fields, it is surprising that virtually no further research on Tempest attacks and related defenses has appeared in the research literature.

However, laboratory radio research is an expensive thing, and obtaining purely theoretical results is difficult due to the lack of published data on the emissions of modern equipment.

Commercial use of Tempest technology is a low-profit endeavor. The British and German governments tried to interest commercial firms in Tempest when they were looking for a use for the developments accumulated during the Cold War. But this did not lead to success: Tempest-shielded PCs and workstations are several times more expensive than standard models, and, in addition, their export sales are usually strictly controlled. So it is not surprising that shielded equipment is almost never used outside the diplomatic and military communities.

But that may be changing. In this paper we describe some simple experiments we conducted with a Tempest receiver and a cheap radio. The authors' work was motivated by curiosity and was not funded by anyone. We did not have access to the expensive equipment that might be found in signals intelligence agencies; even our outdated Tempest receiver is not much more complicated than a modified television set. In summary, our experiments demonstrate what kind of attacks are practical in 1998 for a creative amateur eavesdropper. We also developed some extremely cheap countermeasures.

2. Shortwave audio transmissions

If we want to plant a computer virus in a bank or certification service, where the virus will extract key material and transmit it to us via an improvised radio channel, then an important design criterion is the cost of the receiver. Complex equipment, such as phased antennas, can be used by intelligence agencies, but it has not yet become generally available. Therefore, the most natural solution for an amateur Tempest device was a radio receiver from a home tape recorder costing about $ 100.

In order to make the computer video monitor produce audio signals for our radio receiver, we had to design a screen that causes a video beam current that approximates the transmission of a radio signal. If the latter has a carrier frequency fc, then a sound tone with frequency ft can be represented as:

s(t) = Asin(2*pi*fc*t)[1-Bsin(2*pi*ft*t)]

The timing parameters of a digital video display system are primarily characterized by the pixel clock frequency fp, which is the reciprocal of the time it takes for the electron beam in the DVT to travel from the center of one pixel to the center of its right neighbor. The pixel clock frequency is an integer multiple of the horizontal and vertical deflection frequencies, i.e. the speed fh = fp/xt, with which lines are drawn, and the speed fv = fp/yt,with which complete frames are arranged on the screen. Here xt and yt are the total width and height of the pixel field we are dealing with if the electron beam does not need time to jump to the beginning of a line or frame. However, the image displayed on the screen is only xd pixels wide and yd pixels high, since the time remaining for the remaining (xtyt — xdуd) virtual pixels is used to return the electron beam to the opposite side of the screen.

The bookmark program can read these parameters directly from the video controller chip or find them in configuration files. For example, in the Linux workstation the authors worked with, a line like

ModeLine «1152х900» 95 1152 1152 1192 1472 900 900 931 939

in the X Window System server configuration file called /usr/lib/X11/XF86Config means that the system uses the following parameters: fp = 0.95 MHz, хd = 1152, уd = 900, xt = 1472, and yt = 939.

From which it is established that the deflection frequencies fh = 64.5 kHz and fv = 68.7 Hz.

If we set t = 0 — this is the moment in time when the beam is at the center of the upper left corner pixel (x = 0 ,y = 0), then the electron beam will be at the center of the pixel (x, y) at the moment in time

t = (x/fp ) + (y/fh ) + (n/fv)

for all 0 <= x< xd, 0 <= y < yd, n belongs to the set N. Using this formula with frame counter n = 0, we can now calculate the time t for each pixel (x, y) and

set this pixel to an 8-bit value [128 +.s(t)] on a gray scale with amplitudes A = 64 and B = 1. Figure 1 shows the screen images generated in this way for the transmission of audio tones using the amplitude modulation (AM) method.

Figure 1. Examples of screens causing the monitor to emit tones ft = 300 Hz (left) and 1200 Hz (right) at a carrier frequency fc = 2.0 MHz with amplitude modulation.

In principle, there is no need to fill the entire screen with this pattern, but the energy of the transmitted signal is proportional to the number of pixels that illuminate it. Ideally, both fc and ft should be integer multiples of the frequency fv to avoid phase jumps when moving from one frame to another.

We had no problem receiving the test tune broadcast by our PC with a cheap portable radio. The system worked everywhere in our lab and in adjacent rooms, while reception at longer distances was good only when the receiving antenna was close to the power lines.

As far as the wavelengths involved are concerned, the power lines spread more RF energy than the parasitic antennas in the PC do.

We think that if we connected the radio via a suitable RF bridge directly to the right phase of the power supply network, we would be able to receive the signal from neighboring buildings. In addition, our simple radio receiver only had a regular non-adjustable dipole antenna, so with a more serious antenna we can expect quite acceptable registration at a distance of several hundred meters.

For this type of attack, the best radio band seems to be the shortwave radio band in the range of 1-30 MHz. The reception level depends significantly on how noisy the radio spectrum is near the carrier frequency fc, so it should be chosen away from radio broadcasting stations.

In a typical low-cost attack, the eavesdropper places a radio and tape recorder near the target and implants a bug in the computer using standard virus or Trojan horse techniques. Because the patterns emitted are visible to the eye, the attack must be carried out outside of normal business hours. Many PCs are not turned off overnight, a common practice thanks to the proliferation of modern energy-efficient operating technologies.

A bookmark program for transmitting information can use a tone frequency shift, when 0 and 1 are represented by pictures like those shown in Fig. 1. They are loaded into two video buffers that are switched at the frame rate fc. The bit signal itself, before being used to control the change of transmitted tones, is pre-coded to ensure correction of possible errors.

In our cheap interception equipment, the contents of the tape cassette containing the recorded transmission are then transferred to a PC and digitized using a sound card. The final steps — character recognition, synchronization, and decoding — are described in any textbook on digital communications [19]. The typical transmission rate for this situation is low — about 50 bits per second, so the bug must be able to select the information to be transmitted. Obvious targets are password files, key material, and documents selected by a text search on the hard drive.

3. A Receiver for Intercepting a Video Display

Further experiments were carried out with the ESL model 400 Tempest monitoring receiver from DataSafe Ltd. (Cheltenham, England), see Fig. 2. This device is not intended for solving radio reconnaissance tasks; it was created in the late 1980s as a test and demonstration tool for working with video display technologies of that period [9].

At its core, this is a regular black-and-white TV with a few modifications, the most important of which is that the clock recovery circuits have been replaced by two manually adjustable oscillators. The horizontal or line frequency can be selected from 10-20 kHz with near-millihertz resolution, and the vertical or frame frequency can be selected from 40.0-99.9 Hz with 0.1 Hz resolution.

Unlike a regular TV, this unit can easily be tuned to four bands in the 20-20 kHz range. 860 MHz, and its sensitivity varies from 60 µV at 20 MHz to 5 µV at 860 MHz.

Figure 2.DataSafe/ESL Model 400 — Tempest Monitor

With the 4-meter collapsible dipole antenna, we obtained the best picture quality in the 100-200 MHz range. This antenna is far from optimal; experiments with a borrowed logarithmic spiral cone antenna rated for 200-2000 MHz gave much better results even at 140-200 MHz. It seems that this more expensive antenna is better suited to the elliptically polarized emissions from a typical video monitor.

The monitor used in our experiments is a regular 43cm Super-VGA PC monitor with a 160MHz video bandwidth, meeting the low-emission requirements of MPR II.

The emission requirements of the MPR and TSO standards only specify measurements in ranges up to 400 kHz. The fields emitted in these bands are generated mainly by the deflection coils and do not carry significant information about the screen content. The emissions associated with the screen content are mainly at frequencies much higher than 30 MHz, in the VHF and UHF ranges (if we do not take into account the pathological images transmitted in the previously described experiment of the previous section).

The MPR and TCO standards, introduced for health purposes, do not require shielding of the UHF and VHF bands, and are essentially irrelevant to the Tempest problems. Do not think that so-called low-emission monitors or even liquid crystal displays provide any protection. We have found that some modern laptops with TFT-LCD displays give a clearer signal on reception than many cathode ray tubes.

Our PC monitor, with its 64 kHz line frequency and 95 MHz pixel frequency, was far beyond the range of the displays for which the ESL400 was designed. We had to set the horizontal sync generator to 16.1 kHz, i.e. one quarter of the actual frequency of the PC. As a result, the screen content on the receiver monitor was displayed in four columns; since successive pixels of the lines were now broken down modulo 4, the characters of ordinary text, although visible, became unreadable.

4. Hiding Information in Jitter Patterns

We noticed that our Tempest receiver primarily highlights the high-frequency portion of the video signal. The strongest useful spectral components are found at frequencies close to the pixel frequency and its harmonics. However, monitor technology has changed dramatically in the last decade. The terminals of the early 1980s, studied by Van Eck [2], switched the electron beam on and off for each individual pixel. This improved the picture quality of the narrow-band CRTs of that time, since all the pixels in a row looked the same. Without this pixel pulsing, the pixels in the middle of a horizontal row appeared brighter than those at the edges, since the early electronics switched slowly between the rise and fall of the voltage.

Modern displays have much wider video bandwidths and therefore do not need to pulse pixels. Consequently, all that an eavesdropper can receive from a horizontal line of a modern monitor is two short pulses emitted when the beam is switched on at the left end and off at the right. In effect, the Tempest signal is roughly the amplitude of the derivative of the video signal. With text this is usually not a problem, since characters (in most languages) are identified by their vertical components; but it is a problem with screen images such as photographs, which cannot be easily reconstructed from sharp vertical edges alone.

The human eye is less sensitive to high than to low frequencies. «Dithering» is a technique that exploits this property of the eye to enhance color gradations on displays with small color tables. On modern high-resolution monitors, a user cannot easily distinguish a mid-gray color from a checkerboard pattern of black and white pixels, especially when the distance between pixels is smaller than the focal diameter of the electron beam. To an eavesdropper, on the other hand, a high-frequency black and white pattern produces the strongest possible signal, while a constant color produces the weakest signal.

We can use this difference in the spectral sensitivity of the user and the interceptor so that they see different information. Figure 3 shows: on the left — the test signal on the monitor of the authors' workstation; on the right — the screen obtained on the Tempest receiver.

Figure 3.Test image on the computer monitor (left) and the intercepted signal (right). Three copies on the interceptor monitor — the result of a lower vertical deflection frequency (16.1 kHz instead of 64 kHz, the fourth copy is lost in the beam rollback process).

The test picture has one rectangular and several triangular markers on the left side, drawn in a trembling pattern of vertical black and white lines. These markers help to trace other properties of the picture, and even with our simple dipole antenna they are very clearly visible on the receiver monitor, even from other rooms at a distance of over 20 meters.

To the right of each marker is a band of color that appears uniform on a computer monitor. These bands, following the seven triangles, were drawn in uniform colors (dark red, dark green, dark blue, yellow, pink, light blue, and gray) from the left edge and gradually shaded in trembling patterns to the right (red/black, green/black, blue/black, yellow/black, pink/black, light blue/black, white/black).

The three stripes below (on the Tempest receiver these are the upper stripes) are again yellow, pink and blue at the left edge, but this time the jitter pattern produces a phase shift between the primaries, so that the pattern becomes red/green, red/blue and blue/green at the right edge. Between the left and right edges of the stripes the amplitude of the jitter pattern increases linearly. This test pattern allows you to see at a glance which of the three electron guns produces a usable Tempest signal and starting from what threshold. (One observation: signals generated by identical video input voltages for the three primary colors — red, green and blue — show different Tempest amplitudes.)

A striking application of the eavesdropper's sensitivity to jitter amplitudes is given in the color bar to the right of the eleventh triangle. While the computer monitor clearly displays «Oxford» in large letters here, the eavesdropper sees «Cambridge» on his screen instead. Figure 4 shows an increase in the pixel field around the letters «Ox» emitting as «Ca». While «Oxford» is drawn in pink instead of gray by simply turning off the green component, «Cambridge» is inserted into the picture by increasing the jitter amplitude.

The change in the flicker amplitude must be smoothed out so as not to excite the very sensitive detectors in the retina of the human eye. In order for the change to be invisible, several physical effects of monitors must be taken into account. The value of the color component selected by the display program is usually linearly mapped to the video input voltage fed to the monitor. But the relationship between the video voltage V and the luminosity L of the screen is nonlinear and can be approximated as L = constVy, where y is a hardware-dependent exponent, typically having a value in the range of 1.5-3, depending on the design of the cathode ray tube. The programmer should remember that the total luminosity of two color trembling patterns depends on the arithmetic mean of their luminosities, not on the voltages.

Figure 4.Enlargement of the screen fragment where the user reads «Oh», while on the interceptor's screen the same section reads «Ca».

The final calculations are known to TV and computer graphics experts as «gamma correction». The text that the interceptor sees is a gamma-corrected amplitude modulation of the background pattern, and the actual message to the user is simply a low-frequency signal.

In cases where the transmitted image must be very difficult to see, the flicker parameters must be manually calibrated for a specific monitor. Such calibration depends not only on the monitor type, but also on the brightness, contrast, and other parameters that the user can change. Therefore, a cautious spy will try to hide readable text not in uniformly colored areas, but in structure-rich screen content, such as background photos or animations displayed by screen saver programs. Such programs, like any other software with display access is part of the «trusted» computing base unless there is effective physical shielding.

5. Broadband Transmissions

Our method of modulating jitter amplitudes for large readable characters was developed as a means of transmitting hidden information easily and cheaply. A professional spy would most likely choose a method that affects only a small area of ​​the screen image and would be optimized for maximum reliability with sophisticated equipment. In this section, we will give a rough sketch of what such a system might look like.

Receiving monitor emissions with a modified TV requires either precise knowledge of the horizontal and vertical deflection frequencies or a strong enough signal to manually adjust the sync generators. At large distances and low signal levels, the emitted information can only be separated from noise by averaging the periodic signal over a certain period of time, and manual synchronization adjustment is quite complex.

In a professional attack, a technique called smeared spectrum can be used to overcome signal jamming. The bug will jitter one or more colors across several lines of the screen image using a pseudo-random bit sequence (PRBS). A «Trojan horse» program, for example, could embed such jitter into a window's menu bar. A cross-correlator in the receiver receives one input from the antenna and searches its other inputs for the same pseudo-random bit sequence, output at the monitor's assumed pixel frequency. The cross-correlator will generate an output peak that gives the phase difference between the receiver and the target. A phase-locked loop can then control the receiver's oscillator in such a way that stable, long-term averaging of the screen content becomes possible. Information can be transmitted by inverting the PSB, depending on whether a 0 or a 1 bit is to be transmitted. Readers familiar with the technique of direct modulation of the spread spectrum will be familiar with such ideas, and many other technologies from this area of ​​communications can be applied in this situation.

If the SBP, encoded as a series of black and white pixels, is too different from the typically gray menu toolbar that the user is accustomed to, then phase modulation can be used instead. The amplitude of the flickering pattern can be varied gradually for several pixels near the phase jumps to avoid visible brightness changes on the menu bar. It is also possible to use only a small number of lines — perhaps just one unused line at the top of the bar (or even beyond the visible edge of the screen).

The advantages of the smeared spectrum technique are as follows:

— only the pixel clock and (possibly) the carrier frequency need to be selected. This ensures fast phase locking and fully automatic operation;
— higher reception levels can be achieved, since noise is suppressed by cross-correlation and averaging;
— higher data rates can be achieved, and the task of automatically decoding received data is simplified.

An interesting commercial application of this technology could be monitoring the use of licensed software. Most licenses allow the product to be used on only one computer at a time, but this condition is often violated. We have proposed that proprietary software include in the screen image several lines with a PSBP signal encoding the serial number of the license plus some random value [20]. Just as vans with a «TV detector» are used in countries with mandatory licensing of TV receivers (notably in Britain) to detect unlicensed TVs by their emissions, so vans with a «software detector» could be used to patrol business districts and other places where software piracy is suspected. If a van receives twenty signals from the same copy of Word from a company that has licenses for only five copies, there is reason to open an investigation.

The random value encoded in the PSB helps to distinguish echo signals of messages received from different computers. Finally, if the PSB were issued by the operating system, it would be possible to broadcast the identifiers and license numbers of all currently active programs.

6. New security measure: Tempest fonts

As we noted earlier, only the high-frequency components of the video signal are accessible to the interceptor. On the left in Figure 5 is a test image that helps determine which part of the image spectrum actually generates the Tempest signal. This kind of «zone» image is used by TV specialists and is generated based on the function cos(x2+y2), when the origin of the coordinate system is located in the center of the screen. At each point of this test signal, the local spectrum has a single peak in horizontal and vertical frequency, proportional to the horizontal and vertical coordinates of this point. This frequency peak reaches the Nyquist frequency//2 for points on the boundary of the «zone picture».

Figure 5. The test signal of the «zone picture» (left) and the intercepted signal (right).

On the right in Fig. 5 is the Tempest signal intercepted from a monitor with a «zone picture» (for this and other experiments described in this section, we placed the antenna as close to the monitor as possible to achieve the best reception conditions). As expected, only the horizontal frequency of the signal determines what is received. What is more interesting is that only the outer 30% of the «zone picture» appear dark on the receiver monitor screen. This means that if we look at the Fourier transform of the horizontal pixel frequency, it turns out that our setup can only receive information represented in the Fourier spectrum by frequencies from the range 0.7*fp/2

We wondered if this could be used to create a potentially very cheap, software-based anti-eavesdropping technique. Figure 6 on the left shows a zoomed-in pixel field displaying some text. On the right is the same pixel field after we have removed the top 30% of the Fourier transform of the signal by convolving it with a suitable sin(x)/x low-pass filter.

The filtered text looks rather blurry and unpleasant in this zoomed-in picture, but surprisingly, the loss in text quality is almost imperceptible to the user on the computer screen. The limited focus of the electron beam, the limited resolution of the eye, and the effects of the mask and the monitor electronics all filter this signal.

Figure 6. On the left is enlarged text in normal font, on the right is filtered text with the upper 30% of the horizontal frequency spectrum removed.

Although the visible changes to the user are minor, text filtering causes the effect of completely removing previously easily received information from the Tempest monitor, even if the antenna is positioned close to the video display.

Text hijacking is just one type of Tempest threat associated with personal computers. However, we consider it the most serious threat. Typically, the video display is the strongest source of radiation, and due to its periodic nature, the video signal is easily distinguished from others by periodic averaging.

We found two more potential sources of periodic signals in each PC, both of which can be fixed with cheap software or minor design changes.

First, the keyboard controllers perform an infinite key matrix scan loop, where a sequence of instructions is executed based on the key currently pressed. A short random wait routine within this loop can prevent the periodic averaging performed by the eavesdropper.

Second, many disk drives read the last processed track continuously until the next disk access is made. Since an attacker may attempt to reconstruct this track by periodic averaging, we propose that after accessing sensitive data, the disk head be moved to the track with unsensitive data until the next read request.

Our work shows that the developed technique «Software Tempest», and in particular Tempest fonts, can significantly increase security at very low cost. There are many applications where they will be quite sufficient: in medium-security applications, many government agencies use a «zone scheme», when computers with classified data are not shielded, but are located in rooms located far from areas of possible access. Here, the 10-20 dB of protection provided by the Tempest font plays a very important role. There are also applications where Tempest fonts are just an additional option in situations where a country has to unexpectedly buy large quantities of ordinary commercial computers and use them in some serious operation like «Desert Storm». Finally, in applications such as diplomacy, which require the highest level of protection, users may install Tempest software alongside Tempest hardware: hardware shielding often fails due to dirty gaskets or organizational problems, such as ambassadors refusing to keep doors closed in hot weather.

7. Conclusions

Compromising emissions remain an interesting area of ​​research, although they are largely unexplored in the scientific literature. The high cost of physical shielding and the ever-increasing clock speeds of modern computers ensure that this problem will not be overcome quickly. At the same time, the emergence of powerful software radio receivers on the amateur market can only worsen the situation.

However, we have shown that Tempest is not only a study of radio frequencies. Software methods can significantly change the picture: they can be used for new attacks, design new means of protection, and invent entirely new applications. We believe that our technology, «Software Tempest», can significantly advance this area of ​​research.

Bibliography

1. Kristian Beckman: Lakande Datorer. (Quoted in [3])

2. Wim van Eck: Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? Computers & Security 4 (1985) 269-286

3. Harold Joseph Highland: Electromagnetic Radiation Revisited. Computers & Security 5 (1986) 85-93 and 181-184.

4. Peter Smulders: The Threat of Information Theft by Reception of Electromagnetic Radiation from RS-232 Cables. Computers & Security 9 (1990) 53-58

5. Erhard Moller, Lutz Bernstein, Ferdinand Kolberg: Schutzmassnahmen gegen kompromittierende elektromagnetische Emissionen von Bildschirmsichtgeraten. Labor fur Nachrichtentechnik, Fachhochschule Aachen, Aachen, Germany

6. Deborah Russell, G T. Gangemi Sr.: Computer Security Basics. Chapter 10: TEMPEST, O’Reilly & Associates, 1991, ISBN 0-937175-7M

7. Peter Wright: Spycatcher — The Candid Autobiography of a Senior Intelligence Officer. William Heinemann Australia, 1987, ISBN 0-85561-098-0

8. Ernst Bovenlander, invited talk on smartcard security, Eurocrypt 97

9. Operating Manual for DataSafe/ESL Model 400B/400B 1 Emission Monitors. DataSafe Limited, 33 King Street, Cheltenham, Goucestershire GL50 4AU, United Kingdom, June 1991

10. Lars Heivik: System for Protecting Digital Equipment Against Remote Access. United States Patent 5165098, November 17, 1992

11. John H. Dunlavy: System for Preventing Remote Detection of Computer Data from TEMPEST Signal Emissions. United States Patent 5297201, March 22, 1994

12. Joachim Opfer, Reinhart Engelbart: Verfahren zum Nachweis von verzerrten und stark gestorten Digitalsignalen und Schaltungsanordnung zur Durchfuhrung des Verfahrens. German Patent DE 4301701 Cl, Deutsches Patentamt, May 5,1994

13. Wolfgang Bitzer, Joachim Opfer: Schaltungsanordnung zum Messen der Korrelationsfunktion zwischen zwei vorgegebenen Signalen. German Patent DE 3911155 C2, Deutsches Patentamt, November 11,1993

14. Electromagnetic Pulse (EMP) and Tempest Protection for Facilities. Engineer Pamphlet EP 1110-3-2,469 pages, U.S. Army Corps of Engineers, Publications Depot, Hyattsville, December 31, 1990

15. Uberkoppein auf Leitungen, Faltblatter des BSI 4, German Information Security Agency, Bonn, 1997.

16. Schutzmassnahmen gegen Lauschangrifie, Faltblatter des BSI 5, German Information Security Agency, Bonn, 1997.

17. Blosstellende Abstrahlung, Faltblatter des BSI 12, German Information Security Agency, Bonn, 1996.

18. RJ Lackey, DW Upmal, Speakeasy: The Military Software Radio. IEEE

Communications Magazine v 33 no 5 (May 95) pp 56-61 19. John G. Proakis: Digital Communications, 3rd ed., McGraw-Hill, New York, 1995,

ISBN 0-07-051726-6 20. Ross J Anderson, Markus G Kuhn, Software Piracy Detector Sensing Electromagnetic Computer Emanations. UK Patent application no GB 9722799.5 28th November 1997