Security Risk: Detection of Compromising Emanations Radiated or Conducted by Display Units

Abstract

In this paper we propose a method of detecting the propagation frequencies of compromising emanations in order to evaluate the risk of eavesdropping the display units. By modulating the video signal with an audio file, we have been able to detect the compromising emanations on the frequencies where the audition occurred. The level of those emanations is an important issue in the process of evaluating the security risk. The higher the level, the higher is the probability of detection and reconstruction of displayed information.

1 Introduction

In our days, the effort of protecting sensitive information is a critical one. Any form of security incident that involves protected information has a negative impact on the organization that relies on them. Therefore, a series of protective measures, technical and procedural, are needed in order to ensure information security.

One of those measures is known as Emission Security (EMSEC) or Transient Electromagnetic Pulse Emanation Standard (TEMPEST), which represents a set of technical, organizational and procedural measures applied for analysis, investigation and decrease of compromising emissions generated by electronic or electromagnetic equipment processing information, with the purpose of preventing the processed information recovery. Possible sources of compromising emanations can be, but not limited to: power supplies, power amplifiers, microprocessors, internal circuits and wires, keyboards, printers, modems, scanners and display units. This technique had been introduced in early 60 s [1, 2] and has been developed ever since as newer devices appeared on the market. In [3, 4] a number of security limits for compromising emanations have been highlighted for different existing public standards and devices and types of attack. Numerous testbeds and methodologies had been developed [5, 6] to evaluate the electromagnetic leakage emanations in different setups and for critical systems, sensitive to electromagnetic threats [7,8,9, 14]. It has been shown [1, 5, 10, 11] that display units like LCD, LED and old CRT monitors are ones of the most susceptible to eavesdropping due to their mode of operation. Compromising emanations can be processed by averaging since the video signal is periodic with the frame rate, leading to a processing gain of [2]

$$ G_{P} = 10\log_{10} \left( N \right). $$

(1)

where N is the number of averages, and N ≥ 2.

2 Compromising Emanation Generation

In this chapter we present the evaluation method, that implies generation of a video *.avi file, that will be repeatedly played and displayed on a LCD monitor. The video file is bearing audio information, encoded in form of horizontal lines, displayed by the frame rate setting of the LCD. Each frame has a number of horizontal lines which represent 256 bit grayscale coded audio samples. Thus, the compromising emanation will be found in radiofrequency spectrum as an amplitude modulation. Then, by AM demodulating, one can recover the audio file encoded in as a video signal.

2.1 Audio File Parameters

The first step is importing an audio file, which has a number of samples N_a and a sampling rate F_s [Hz]. The duration of audio signal is

$$ D_{a} = N_{a} /F_{s} \,\,(s). $$

(2)

The samples will be grouped in clusters, corresponding to video display parameters.

2.2 Video Signal Parameters

The LCD has H_px horizontal pixels, V_px vertical pixels and S_r [Hz] screen refresh rate corresponding to the visible area. The duration of video signal represented by the *.avi file is equal to the duration of the audio file, namely

$$ D_{v} = N_{f} /S_{r} \,\,(s). $$

(3)

Where N_f represents the number of frames in the video file.

2.3 Compromising Emanation Encoding

Each video frame contains a number of M audio samples, determined by

$$ M = \frac{{N_{a} }}{{N_{f} }} = \frac{{F_{s} }}{{S_{r} }}. $$

(4)

Because LCD’s pixel frequency is larger than the audio file sampling rate by an order of magnitude of 4, the only way to make an image audible is to decrease the pixel frequency by displaying one audio sample on several horizontal video lines. The number of horizontal video lines used to display an audio sample is given by

$$ H_{l} = \frac{{V_{px} }}{M}. $$

(5)

where V_px is the number of video lines.

The final step is to convert the audio samples, represented by vector A into a raster-type video stream, represented by matrices, according to values above.

$$ A = [a_{1} \,a_{2} \,a_{3} \ldots a_{M} \ldots a_{{N_{a} - 1}} \,a_{{N_{a} }} ]. $$

(6)

The audio samples are 8-bit encoded in order to obtain 256 grayscale values in order to obtain a video frame, as follows

$$ Frame\,\# 1\quad \left[ {\begin{array}{*{20}l} {a_{1} \quad \ldots \quad a_{1} } \hfill \\ \ldots \hfill \\ {a_{M} \quad \ldots \quad a_{M} } \hfill \\ \end{array} } \right],\,\quad Frame\,\# 2\quad \left[ {\begin{array}{*{20}l} {a_{M + 1\,} \quad \ldots \quad a_{M + 1} } \hfill \\ \ldots \hfill \\ {a_{2M} \quad \ldots \quad a_{2M} } \hfill \\ \end{array} } \right],\quad Frame\,\,\# N_{f} \quad \left[ {\begin{array}{*{20}l} {a_{{N_{a} - M\,}} \quad \ldots \quad a_{{N_{a} - M\,}} } \hfill \\ \ldots \hfill \\ {a_{{N_{a} }} \quad \ldots \quad a_{{N_{a} }} } \hfill \\ \end{array} } \right]. $$

(7)

3 Method Validation and Information Recovery

In order to check the efficiency of the method, an experimental testbed has been built, consisting of:

• LCD monitor, as the equipment under test with screen resolution of 1024 by 768 pixels and a refresh rate of 60 Hz [15]

• Log-periodic antenna, for wideband reception

• Test receiver, with AM demodulation and intermediate frequency output

• Oscilloscope, connected to the IF output of the receiver, in order to visualize the waveform on the frequency where the compromising emanation is present

• Speakers, used for audio detection of compromising emanations during the frequency sweep performed by the test receiver.

The experimental setup block diagram is presented in Fig. 1. By sweeping the spectrum and using AF demodulation option on the test receiver, we were able to detect the frequencies where the compromising emanation was identified. The tests were performed under different conditions, using several LCDs at distances between 3 and 30 meters, in line of sight or obstructed by concrete walls.

Fig. 1.

The test setup used in the experiment. EUT represents different LCDs.

Next, to view the waveform and validate the method, we used the intermediate frequency output of the receiver connected to the scope input. We found that the waveforms visualized on the scope are correlated to the video frames displayed on the LCD, on those frequencies where the audition was possible.

The received frequency spectrum, presented in Fig. 2, contains several emissions, some of those being generated by the LCDs as spurious emissions. The compromising emanation of interest is marked in Fig. 2, at the frequency of 649.35 MHz.

Fig. 2.

Frequency spectrum. The marked frequency represents one detection.

Compromising emissions can be found on several frequencies, with different amplitude levels and audio quality. In this study the highest level and clearest audio recognition have been taken into consideration. On the other hand, different configurations of the testing scenario might lead to compromising emanations which are masked under the noise and interference, making it possible for the eavesdropper to recover information if he possesses a high quality receiver and strong signal processing capabilities.

One important parameter used for reducing the amount of received noise and increasing the frequency resolution is the resolution bandwidth, RBW. Thus the receiving sensitivity can be calculated as:

$$ R_{S} = - 174 + 10\log_{10} (RBW/Hz) + \left[ {NF} \right]_{dBm} + \left[ {SNR} \right]_{dBm} + \left[ {P_{att} } \right]_{dBm} \,\,\,\,\left( {dBm} \right). $$

(8)

where −174 is the thermal noise expressed in dBm, RBW is the bandpass filter of the receiver on the intermediate frequency path, NF is receiver noise figure, SNR is signal to noise ratio and P_att is the sum of antenna factor and cable loss, expressed in dB. By reducing RBW, the power of received noise decreases, compromising emanations can be separated from adjacent interferences making detection possible. Using a range of RBWs instead of a single one offers a higher confidence for our method.

The final step of validation is the visual correlation between displayed frames and received signal. To accomplish that we compared one video frame with corresponding waveform triggered on the oscilloscope. The amplitude and duration of each transition in oscilloscope waveform correspond with the intensity and thickness of displayed horizontal lines, as shown in Figs. 3 and 4.

Fig. 3.

Video frame displayed on the LCD. Audio samples are marked 1 to 10.

Fig. 4.

Oscilloscope waveform. Detected audio samples are marked 1 to 10.

4 Conclusions

The method presented in this paper can be considered a fast solution for detecting compromising emanations from display units like LCD, LED and CRT monitors, using even a low cost wideband AM receiver.

The main advantage of this method is that it can be used in sites, to verify the conformity of installation process with emission security regulations, where display units operate as a part of a system and can’t be moved or replaced by other display units. The disadvantage is that it is limited only to detection of compromising emanations and is not able to not measure their level, according to emission security regulations.

Information reconstruction by receiving and processing emissions generated by electronic equipment is a security risk and should be treated accordingly. The threat increases with the development of high performance Software Defined Radios that can be found on the market, which are becoming more affordable as the time passes.

Protective measures should be complex but also cost effective, starting with procedural measures which control operating conditions, software solutions like filtering displayed information and hardware measures like electromagnetic shielding and filtering [12, 13].