Fixxx
Moderator
- Joined
- Aug 21, 2024
- Messages
- 218
- Reaction score
- 728
- Points
- 93
Due to the efforts of researchers at the Republic University of Uruguay, we now have a much better understanding of how to reconstruct images from parasitic radio noise emitted by monitors. To be more precise, this noise comes from crosstalk during data transmission through HDMI interface connectors and cables. Using modern machine learning algorithms, Uruguayan researchers demonstrated how text displayed on an external monitor can be reconstructed from such radio noise.
Was it not possible before?
Of course, this is not the first attempt to attack through side channels with the goal of reconstructing images from parasitic emissions. The interception of radio noise from a display in a neighboring room, also known as a subtype of TEMPEST attack, was described in a study published in 1985. Even then, Dutch researcher Wim van Eck demonstrated that it was possible to intercept signals from a nearby monitor. The problem is that van Eck did this with a forty-year-old monitor, using a cathode ray tube and an analog data transmission method. Moreover, the intercepted image at that time was simple to analyze, with white letters on a black background and no graphics. In modern conditions, with the HDMI digital interface, intercepting and, more importantly, reconstructing the data is significantly more complex. But this is exactly what the Uruguayan scientists accomplished.
How is modern va-Eck interception carried out?
Data is transmitted to the monitor via the HDMI interface in digital form. The total volume of this data is enormous. Every second, a computer sends 60 or more frames to the monitor, with each frame containing millions of pixels of different colors. We can take a modified computer radio receiver and intercept the crosstalk that occurs during the transmission of this data stream. But can we extract useful information from this extremely weak noise?
*The general scheme of the new spying method proposed by Uruguayan scientists.
The authors named this attack Deep-TEMPEST, hinting at the use of deep learning machine learning technologies. The diagram clearly shows how noisy data is intercepted using the described method before processing: it's a discolored shadow of the original image, in which only the arrangement of the main elements can be guessed. In this experiment, it was a browser window with an open Wikipedia page. The navigation menu at the top and the image in the center of the screen can be distinguished. Reading the text or seeing the picture is utterly impossible.
*The intercepted image processed by Deep-TEMPEST.
Here is the result of the processing. The picture didn't improve; it's still difficult to discern its details. However, the text was reliably recognized in its entirety and even if the machine learning algorithm made a couple of mistakes in letters, it doesn't significantly affect the understanding of the final result. Look at another example:
*The result of the Deep-TEMPEST attack in detail.
At the top is the intercepted image. Some letters are distinguishable, but reading such text is practically impossible. At the bottom is the original image, a fragment of a screenshot. In the middle is the result of processing the intercepted image by the machine learning algorithm. In a couple of places, there are difficulties with recognizing adjacent letters, but overall, the text is quite easy to read.
How did the researchers achieve such results?
The main achievement of the Uruguayan scientists is that they developed their own method of data analysis. This was partly accomplished through a more efficient training process for the neural network that recognizes text from a rough image. If approached directly, training would require pairs of original screen screenshots and intercepted images using a radio receiver. Creating a sufficient number of such pairs for training (hundreds and thousands are needed) is a challenging task that can take a lot of time. The authors of the study took a slightly different path: by displaying an image on the screen and intercepting the signal, they obtained about half of the data for training, while the other half was simply generated. They wrote an algorithm that provides a reliable picture of the "intercepted" information based on the screenshot. This was enough for effective training of the machine learning algorithm.
The second important achievement of the researchers from the University of Uruguay is the use of a neural network that allows for high-quality results without significant costs. The test setup was created from relatively accessible tools for intercepting radio data and open-source software. We have already mentioned that an enormous volume of data is transmitted to modern monitors via the HDMI interface every second. When analyzing parasitic radio emissions from such transmission, there is theoretically a need to capture a wide radio frequency band - the larger of the frequency band, the better the result. Ideally, a high-class radio receiver capable of capturing a frequency band of up to 3200 megahertz is needed and such a device is quite expensive, around $25,000. However, the researchers conducted their studies with a USRP 200-mini receiver ($1500), which can analyze a much narrower frequency band of 56 megahertz. But the effectiveness of the neural network, trained to recognize such partial information, allowed compensating for the lack of original data.
The setup for conducting the Deep-TEMPEST attack. On the left is the targeted computer with its connected monitor.
The numbers indicate:
- Antenna,
- Radio signal filters and amplifier,
- Computer-controlled radio receiver,
- Laptop used for intercepting radio emissions and analyzing data.
Limited scope of application.
One of the characters in Neal Stephenson's novel "Cryptonomicon" realizes at one point that he is being watched via the van Eck method and begins to complicate the spie's lives: he changes the color of the letters and plays a video instead of using a solid background for the text. In general, the countermeasures described a quarter-century ago against TEMPEST-type attacks are still effective. It's enough to add noise to the image that the user will not even notice and interception will become completely impossible. Naturally, the question arises: is it worth the effort to protect against such specialized attacks? In the vast majority of cases, there is no need to fear practical applications of this attack - it's better to focus on protecting against real threats like malware.
However, if you are working with highly sensitive data that may attract the attention, it might be worth considering such attacks within the threat model.
Moreover, we should not dismiss this work simply because it describes interception from an external monitor. Yes, one can use a laptop, but the image on the built-in display is transmitted using roughly the same principles - only the transmission interface may differ slightly and the level of emissions will be somewhat lower. But this can be addressed by refining algorithms and upgrading equipment. So let us give credit to the Uruguayan researchers - they once again show us how complex the real world is beyond "software" and "operating systems".