Tempest attacks using a DVB-T stick

February 6, 2018
sdr infosec tut tempest

SDR

The Wiki defines SDR as:1

Software-defined radio (SDR) is a radio communication system where components that have been traditionally implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system.

An ideal SDR receiver consists of an antenna, ADC2 attached to that antenna, a DSP3 which reads the output of the converter and some software which processes the output based on the users’ need.

In case of a transmitter, the process is the same, but just in reverse. The DSP generates a series of data which is then sent to a DAC4 connected to the antenna.

Reciever

Transmitter

Due to technical limitations, an ideal SDR is impossible to implement, which means that most receivers in practice have a mixer5, local oscillator6 and a signal filter7 with whom we get intermediate frequency8 signal which is then converted into digital signal.

SDR History

The concept of SDR dates back to the 70s, often mentioned in the context of US and European defense forces. Despite the concepts being developed back in the 70s, it is believed that the first SDR was constructed in 1988. by Peter Hoeher and Helmuth Lang in the German Aerospace Research Establishment (DLR9, formerly DFLVR10).

One of the first public SDR initiatives was the US military project, code named SpeakEasy11, whose goal was to emulate 10 military radios ranging from 2 MHz to 2 GHz, and achieve communication between infantry, navy, air forces and satellites. A couple years later, the revised SpeakEasy system becomes the Joint Tactical Radio System (JTRS12), in use today by the US military.

Current use

SDR primarily finds its use in the military, like in the previously mentioned JTRS project. For amateur use there are commercial SDR solutions available, such as the Zeus ZS-113, HackRF One and the SoftRock SDR14.

The cheaper alternative to SDR receivers being DVB-T15 USB receivers, which use Realtek’s RTL2832U controller, and the Micro R820T tuner, which enables us to use a frequency range between 24 up to 1766 MHz, which covers most of the Ultra High Frequency (UHF16) range.

That very receiver will be used further on in an attempted technical implementation of an TEMPEST attack.

TEMPEST

Telecommunications Electronics Material Protected from Emanating Spurious Transmissions or TEMPEST in short is a codename for a NSA project which gathers data from information systems using emanated leaks, which include radio waves, electrical signals, sounds and vibrations. The project includes adversarial data gathering and methods of mitigating the same. The details and specifications of the project are described in the classified NACSIM 5000/5100A documents.

Example usage

Used gear

For the research and implementation of this attack, the following gear was used:

HackRF One

HackRF One is a SDR device which can transmit and receive radio signals in the range of 1 MHz up to 6 GHz. It was designed to enable test and development of modern and next generation radio technologies. It’s an open source hardware platform that can be used as a USB peripheral or programmed for stand-alone operation.

RTL2832

RTL2832 is a SDR device which can transmit and receive radio signals in the range of 24 MHz up to 1766 MHz (1850 MHz with experimental drivers). Although it was designed to enable viewing of DVB-T TV channels, and listening of FM/AM radio stations, since it can be used for various frequencies and channels all over Europe, we can use it as an SDR with whom we can receive and transmit radio waves using FOSS.

Disassembling the DVB-T Tuner we can confirm that it uses the Realtek RTL2832U DVB-T COFDM demodulator, alongside the Rafael Micro R820T/2 tuner.

Axil AN0256L

Axil AN0256L is an active room antenna with an amplifier and a coax connector which was used along with the RTL2832 receiver. The antenna has built-in LTE protection, so the user cannot interfere with the channels reserved for mobile broadband services (channels 61-69). The antenna frequency ranges from 40 to 862 MHz, and the output impedance is 75 Ω.

HDSDR

High Definition Software Defined Radio (HDSDR) is a free Software Defined Radio program for Microsoft Windows, which is a more advanced version of Alberto di Bene’s Winrad.

The most common use for this program is listening to radio, shortwave listening (SWL), radio astronomy, NDB hunting and RF Spectrum Analysis.

In the context of this attack, HDSDR was used to detect frequencies of unintentional computer monitor cable emissions.

Configuring HDSDR

Since we’re not interested in decoding the signal, we can use the Continuous Wave (CW) setting, to see the raw signal while changing an image on the target monitor.

The spectrum we’re analyzing is zoomed out maximally, to fit the biggest possible range on the screen, and the sample rate was set to maximum, in order to see the emissions change in the highest resolution.

The gain on the RTL2832 receiver was set to +16.5 dB, while the active antenna gain was set to around 50%. These values were discovered by trial and error, and may differ between devices.

There is a visible change in the monitor VGA cable radiation emissions in the next picture, caused by changing displayed pictures on screen.

During the time period between 9:10:17 PM to 9:10:19, the monitor was showing a checkerboard pattern, while the rest of the time it was showing an empty browser screen.

By incrementally scanning the wavelengths ranging from 200 MHz to 800 MHz, a correlation was discovered between the change of unintentional emissions and the picture change on the monitor, between the range of 332 MHz and 333 MHz, with the interval peaks frequency being 600 KHz.

TempestSDR

TempestSDR Repo says that it:

… is a software toolkit for remotely eavesdropping video monitors using a Software Defined Radio (SDR) receiver. It exploits compromising emanations from cables carrying video signals.

Raster video is usually transmitted one line of pixels at a time, encoded as a varying current. This generates an electromagnetic wave that can be picked up by an SDR receiver. The software maps the received field strength of a pixel to a gray-scale shade in real-time. This forms a false colour estimate of the original video signal.

The toolkit uses unmodified off-the-shelf hardware which lowers the costs and increases mobility compared to existing solutions. It allows for additional post-processing which improves the signal-to-noise ratio. The attacker does not need to have prior knowledge about the target video display. All parameters such as resolution and refresh rate are estimated with the aid of the software.

Implementing the attack

Using the TempestSDR toolkit, and the frequency range discovered using HDSDR, we will attempt to reconstruct the checkerboard pattern image from the monitor using unintentional emissions coming from the VGA cable which is connected to the monitor from the GPU.

We can see that the reconstruction is partially missing on the picture above, in the upper left corner, and that it’s “travelling” from the left to the right.

The reason being an incorrectly set refresh rate, since the receiver cannot provide a sample rate high enough at that frequency for the image to be reconstructed.

Since the monitor is showing a 1280x1024 picture, with a refresh rate of 75Hz, with a color depth of 24 bits, we can assume that the highest quality reconstruction of the image would be possible on the frequency of 2.359 GHz (1280x1024x75x24 = 2359296000 Hz), which, sadly, isn’t supported by the RTL2832 which doesn’t come near 2 GHz. The second best reconstruction was found at 332-333 MHz, which was less good due to a very cheap antenna and some noise, which caused the “traveling” of the image, described above.

PoC || Didn’t happen

Hardware hacking tutorial: Reversing and emulating firmware

September 1, 2017
reversing hardware hacking infosec embedded

Hardware hacking tutorial: Dumping and reversing firmware

September 1, 2017
reversing hardware hacking infosec embedded

Hardware hacking tutorial: Interfacing with debug ports

August 31, 2017
reversing hardware hacking infosec embedded
comments powered by Disqus