Exploiting quasiperiodic electromagnetic radiation using software-defined radio

Change log
O'Connell, Christian David 

Electronic devices emanate unintentional electromagnetic radiation from which an attacker can extract sensitive information. In video display units these are quasiperiodic: nearly periodic in the short term. Video-eavesdropping attacks on these, a main motivation for the use of TEMPEST shielded equipment in security-critical applications, have evolved little since first publicly demonstrated by van Eck in 1985. I investigate digital signal processing techniques that exploit the quasiperiodic nature of digital video signals, with TMDS-encoded data on HDMI/DVI cables as the main example.

After first discussing the practicalities of intercepting compromising emanations from the UHF frequency band, using a software-defined radio platform to perform IQ down conversion, I outline the process to carry out a video eavesdropping attack, and methods for rasterising intercepted data.

Using a database of video modes, such as VESA and CEA standards, I identify viable eavesdropping targets by fitting likely harmonics of emanating clock signals to a model. Video signals contain blanking intervals that create characteristic periodicities; cepstral features can be used to eliminate false positives, and provide improved performance over autocorrelation as a method of recovering synchronisation frequencies.

The signal-to-noise ratio of intercepted emanations is often very poor. Coherent periodic averaging in the complex domain can suppress noise and uncorrelated background sources. I design a phase-locked loop to perform clock recovery and synchronisation of the video signal, negating the effects of temperature drift in the local oscillators. This permits averaging arbitrary-length recordings, increasing the range at which an attack can be performed. I discuss the implications this may have on existing protection standards.

Finally, I present a method to recover bandwidths higher than that which the SDR frontend hardware is nominally capable of. I use the cross-correlation between multiple overlapping lower-bandwidth recordings to correct time and phase offsets, and a zero-phase Linkwitz-Riley filter pair to combine them. The resulting higher-bandwidth recordings improve raster clarity, and enable use of a hidden Markov model to recover colour information.

Kuhn, Markus
Digital Signal Processing, TEMPEST, Side-channel attack
Doctor of Philosophy (PhD)
Awarding Institution
University of Cambridge