Van Eck phreaking, also known asVan Eck radiation, is a form ofnetwork eavesdropping in which special equipment is used for aside-channel attack on theelectromagnetic emissions of electronic devices. While electromagnetic emissions are present in keyboards, printers, and other electronic devices, the most notable use of Van Eck phreaking is in reproducing the contents of acathode-ray tube (CRT) display at a distance.
Information that drives a CRTvideo display takes the form of electrical signals in theRF range. The electric signal which drives the electron beam is amplified to up to around one hundred volts fromTTL circuitry. The signal leaks out from displays and may be captured by an antenna, and oncesynchronization pulses are recreated and mixed in, an ordinary analog television receiver can display the result. These emissions are correlated to the video image being displayed, so, in theory, they can be used to recover the displayed image.
While the phenomenon had been known by the United States Government andBell Labs as early as the Second World War, the process received its name afterWim van Eck published the first unclassified technical analysis of the security risks of emanations fromcomputer monitors in 1985. Whilephreaking is the process of exploitingtelephone networks, the term is used here because of its connection to eavesdropping.
Government researchers were already aware of the danger, asBell Labs had noted this vulnerability to secureteleprinter communications duringWorld War II and was able to produce 75% of the plaintext being processed in a secure facility from a distance of 80 feet (24 metres).[1] Additionally, the NSA publishedTempest Fundamentals, NSA-82-89, NACSIM 5000, National Security Agency (Classified) on February 1, 1982. Also, the van Eck technique was successfully demonstrated to non-TEMPEST personnel inKorea during theKorean War in the 1950s.
In 1985,Wim van Eck published the first unclassified technical analysis of the security risks of emanations fromcomputer monitors.[2][3] This paper caused some consternation in the security community, which had previously believed that such monitoring was a highly sophisticated attack available only togovernments; van Eck successfully eavesdropped on a real system, at a range of hundreds ofmetres, using just $15 worth of equipment plus atelevision set.
In the paper, Van Eck reports that in February 1985, a successful test of this concept was carried out with the cooperation of theBBC. Using a van filled with electronic equipment and equipped with aVHFantenna array, they were able to eavesdrop from a "large distance". There is no evidence that the BBC'sTV detector vans used this technology, although the BBC will not reveal whether or not they are a hoax.[4]
Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of Tech TV'sThe Screen Savers on December 18, 2003.[5][6]
Information that drives thevideo display takes the form ofhigh-frequency electrical signals. Theoscillation of theseelectric currents createelectromagnetic radiation in theRF range. Theseradio emissions are correlated to thevideo image being displayed, so, in theory, they can be used to recover the displayed image.
In a CRT, the image is generated by anelectron beam that sweeps back and forth across thescreen. The electron beam excites thephosphor coating on the glass and causes it to glow. The strength of the beam determines the brightness of individualpixels (seeCathode-ray tube for a detailed description). The electric signal that drives the electron beam is amplified to up to around one hundred volts fromTTL circuitry. This high-frequency, high-voltage signal creates electromagnetic radiation that has, according to Van Eck, "a remarkable resemblance to a broadcast TV signal".[3] The signal leaks out from displays and may be captured by an antenna, and oncesynchronization pulses are recreated and mixed in, an ordinary analog television receiver can display the result. The synchronization pulses can be recreated either through manual adjustment or by processing the signals emitted byelectromagnetic coils as they deflect the CRT's electron beam back and forth.[3]
In January 2015, the Airhopper project fromGeorgia Institute of Technology, United States demonstrated (atBen Gurion University, Israel) the use of Van Eck Phreaking to enable a keylogger to communicate, through video signal manipulation, keys pressed on the keyboard of a standard PC, to a program running on anAndroid cellphone with an earbud radio antenna.[7][8][9]
A tailored access battery is a special laptop battery with Van Eck Phreaking electronics and power-side band encryption cracking electronics built into its casing, in combination with a remote transceiver. This allows for quick installation and removal of a spying device by simply swapping the battery.[10]
Van Eck phreaking might be used to compromise the secrecy of the votes in an election usingelectronic voting. This caused the Dutch government to ban the use of NewVotecomputervoting machines manufactured by SDU in the2006 national elections, under the belief that ballot information might not be kept secret.[11][12] In a 2009 test of electronic voting systems in Brazil, Van Eck phreaking was used to successfully compromise ballot secrecy as a proof of concept.[13]
In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000.[14]
Markus Kuhn has discovered several low-cost techniques for reducing the chances that emanations from computer displays can be monitored remotely.[15] With CRT displays andanalog video cables, filtering outhigh-frequency components fromfonts before rendering them on a computer screen will attenuate the energy at which text characters are broadcast. With modernflat panel displays, the high-speed digitalserial interface (DVI) cables from thegraphics controller are a main source of compromising emanations. Adding randomnoise to theleast significant bits of pixel values may render the emanations from flat-panel displays unintelligible to eavesdroppers but is not a secure method. Since DVI uses acertain bit code scheme that tries to transport a balanced signal of 0 bits and 1 bits, there may not be much difference between two pixel colors that differ very much in their color or intensity. The emanations can differ drastically even if only the last bit of a pixel's color is changed. The signal received by the eavesdropper also depends on the frequency where the emanations are detected. The signal can be received on many frequencies at once and each frequency's signal differs incontrast andbrightness related to a certain color on the screen. Usually, the technique of smothering the RED signal with noise is not effective unless the power of the noise is sufficient to drive the eavesdropper's receiver intosaturation thus overwhelming the receiver input.