A good example of what I’m going to talk about is TempestSDR. This is a tool which can decode certain types of video signals from a distance location. It uses energy in the radio frequency spectrum to this.
If you search the Internet you’re going to be hard pressed to find anything impressive out there. The reason why is it is a big secret. The images you do find out there showing you what something like TempestSDR can do are way off the mark.
The capability has exceeded what has been known for decades. It is now possible to decode up to distance of 100 meters. It could be further. I can only speak from personal experience having it done to me.
I’ve created some tools to help. How effective the tools are dependent on how technological the adversary is. If they have plenty of money to blow, they could even decode your signal from space using a satellite.
You can find a few of my tools here:
- km4kfl/HDCPEnabler: Enables HDCP on Windows machines. (github.com)
- km4kfl/RandomPixelScreen: A counter tool against HDCP exploits by covering up portions of a static screen. (github.com)
- km4kfl/WindowShake: An adversarial counter for HDCP cipher stream unmasking or TempestSDR. (github.com)
There are a few things out there in the industry such as embedded DisplayPort, DisplayPort, HDMI, and LVDS (more generic term). These interfaces all work by clocking data out using square waves.
The signal that is emitted is weak but as technology advances the capability to pick up this weak signal increases. The distance at which an adversary can do so also increases.
There are a few reasons for this increase in capability. There are receiver systems with lower noise floors than ever before. Also, the capability to do digital beamforming increases the ability for the adversary to home in on your signals and reject other signals.
Weaknesses also exist in protocols like HDCP which encrypt the stream. There are problems here such as the possibility an adversary could use the power of a super-computer to make brute forcing AES easier. They can determine portions of your screen that have known content and use that to reveal the AES XOR stream for HDCP making cracking the session key easier.
With the race to space in full motion you now have more people with access to satellite technology. This is no longer restricted to the highest bidder such as governments and large industries. With satellite access the ability to zoom down onto your house and your video signal is not only possible but also as said before easier than ever before due to technology advances.
There are some things that could help such as stronger encryption and encryption that isn’t weak to static or known screen content. For example, this involves using a different AES mode than CTR or increasing the key to 256-bits.
You also have to be aware than the older version of HDCP, prior to 2.x, used a much weaker key negotiation protocol. An adversary now days can see the bit level transitions and capture key negotiations. These older HDCP protocols are even weaker. The newer protocols use a public key but as I’ve overheard even these can be too weak especially with cases of 1024-bit keys being used.
There are things you can do such as running the software provided above. In most cases, this will eliminate a curious neighbor. It won’t stop more well-funded organizations and people.
You can also place multiple screens or monitors in close proximity and have them all run the same resolution, same cabling, and same interface. This helps to mix the signals together leaving the adversary to beamform to increase the signal to noise ratio. Yet, with sufficient directivity such as with large dishes that can be steered or electronic arrays the ability to discern enough SNR between your devices can make it possible to still see your screen.
The reason you don’t hear about this is because it’s a secret. All the people involved don’t want it to get out too quickly. They want this to stay possible for as long as possible. However, as time goes on the news will come out and eventually changes will come about.
From what I can tell most people think technology like this doesn’t exist. It is too far-fetched. It is the stuff of science fiction. I urge you to simply see for yourself with TempestSDR and then imagine what state of the art technology could do with the proper antenna setup.
This type of attack on an information system isn’t limited to laptops and desktops. It is also possible to see phone screens, tablets, and any type of scanning display with a fixed frame format. By fixed frame I mean the timing between frames is constant and the stream order of pixels is constant.
However, interfaces such as DisplayPort are still vulnerable. I’ve heard this is possible too because even though the interface is packet based the pixels are always streamed in the same order and because of the refresh rate usually being constant the adversary can still use the technique of averaging to deduce more accurate bit transitions over time.
That is another point I want to bring up. The term SNR refers to the amount of signal versus the amount of noise. The bigger the signal the higher the SNR. The lower the noise the higher the SNR. With fixed frame interfaces it is possible to use averaging which is where the attacker will capture multiple video frames and average them helping to reveal pixels that stay constant.
The lower the SNR the more averaging is required and for the attacker the more motion blur is created. If the SNR is low enough the attacker won’t see anything, or the content will have changed by the time they could get enough of an average. This concept is important to some of the tools I have created because they cause the content on the screen to move or cover up static content.
However, if the attacker has a high enough SNR they could get frame by frame decoding making motion techniques inadequate. In cases like this you’re only defense is to increase the noise by moving other electronic equipment into close proximity or putting shielding between you and the attacker.
I hope this page was helpful for you to understand the danger to your privacy in today’s world. I also hope it was helpful to shed some light on the fact that all devices are vulnerable not just laptops or desktops. I also hope you might find the tools useful especially HDCPEnabler – even though it might not have the needed strength it can most certainly stop an attacker from ever getting started.