Espionage by CRT mirroring

Question

Quite a few decades ago (either late 70's or early 80's), I vaguely remember seeing on TV a demonstration of, what would now be called, mirroring of a CRT screen, that was over 30 meters away, without the use of any cables, fibre optics, wires or what have you - this was "through the air" (as described at the time). Hence, the output of the computer that was connected to the CRT could be seen, even though the "hacker" was not at the actual computer's console.

The TV article raised fears about spying, Soviet espionage, etc. - as was usual in those days.

Irrespective of the geo-politics behind the potential for espionage (involving the misuse of this technology 40 years ago), how was this mirroring actually achieved back in the day¹?

I haven't been able to find a recording of the clip yet, but I will update this question when I do.

Addendum

Thanks to Michael's comment, the video in question is this: TEMPEST - Protection from Computer Eavesdropping ~ BBC Tomorrow's World... which sort of has the answer in the video title!

---

¹ Please note that I have no desire to reproduce this effect today, using either CRTs or with flat screen technology. At the risk of repeating myself - I merely wish to know how it was achieved back then.

Answer 1

After searching a bit more thanks to Eugene's comment, I found this, where it states it can be done from hundred meters, even without very expensive equipment.

See Wim van Eck's legacy.

Fragment:

Oscillating electric currents within your monitor produce radio frequency electromagnetic radiation (EMR) that correlate to what the monitor displays. In cooperation with the BBC in February 1985, van Eck was able to confirm through experimental proof of concept that this form of electronic eavesdropping is possible from distances of up to several hundred meters.

While such danger to information security was already known at the time of van Eck's paper, it was generally believed that such eavesdropping was prohibitively difficult for amateurs — meaning, for the most part, non-military personnel — and would require extremely expensive, specialized, restricted equipment. Wim van Eck's research showed that it can be accomplished with nothing that isn't readily available on the open market — that, in fact, "In the case of eavesdropping on a video display unit, this can be a normal TV broadcast receiver."

Answer 2

You could start reading here for a reasonable coverage of the problem.

I worked on an early color CRT (Data General CRT terminal) that included Tempest rating. There we encoded the signals to the guns (grids) from the motherboard to the neck of the tube, decoding them right on the CRT neck. The tube was encased in extensive shielding.

Update: While some make fun of this potential compromise in the comments, there were serious implications. You don't need to RX/decode a whole screen. The biggest problem was with logon screens. Well documented and easily discerned. you only need decode user names and potentially password. I do remember that we altered our logon screens to never echo the password in any way. Many, particularly Unix based systems of the time used to flash the character you typed and then backspace and overwrite it with an Asterisk. Very poor security.

Answer 3

The pixel signal current ( image raster display) can be radiated easily in CRT type displays in uV /m field strength and is tested by EMI “Tempest Level screening” criteria much lower than FCC Class B.

I briefly observed such testing hidden by security drop sheets when I was doing similar tests to magnetic HDD’s on interface cables at a Burroughs test faculty in Paoli, PA, USA in the early 80’s.

Answer 4

It would appear to still be possible with modern(er) monitors.

These folks give intructions for getting the software from the first link to run under Windows.

They mention capturing video from a monitor with DVI, and another with HDMI. Not sure if they are capturing signals from the monitor or from the cable.

The priciple is the same as way back when, it's just easier and cheaper using an SDR dongle and some software.

Back in the day, you had to feed the captured signal to a modified monitor similar to the one you were spying on.

These days, the software makes images on the fly and displays them on your monitor.

This appears to be a recording of the software in action.

---

Tempest was FUN.

Way back in the stone ages, I was in the US Air Force - draftsman in civil engineering.

The stuff we worked on was all classified - our office was literally a safe with thick steel door with a dial combination lock.

When the Major heading our section needed to present status charts at a briefing, I would be tasked with making the overhead projector slides on the computer.

Since the information was rated "secret," it could only be done on a tempest rated computer and the slides printed on a tempest rated printer.

We had one of each, but no software that could both a) run on the computer and b) talk to the printer.

I ended up writing a program to make the slides on the computer, then got out the printer manual and figured out how to directly drive it. My program rasterized the slide from the screen and sent the individual commands to fire the pins on the dot matrix printer - and shift the ink ribbon up and down to make the different colors.

The base photography section had good software and printers. But, their computers and printers weren't tempest rated, their offices weren't secure enough, and they didn't have the security clearance needed to see the stuff on the slides. So, I got to make a stack of ugly slides for every briefing.

And, being the lowest ranked guy in the office, I got stuck flipping slides during the briefings, too. Rear projection. To this day, I can read mirrored text almost as fast as I can read normal text.

Answer 5

As others have mentioned, this generally refers to (an instance of) van Eck phreaking, i.e. eavesdropping on electromagnetic radiation. In the case of CRTs, the radiation being eavesdropped on is emitted by the high-voltage, high-frequency circuitry which drives the electron gun; from that signal, all you need to do is re-inject synchronisation pulses to be able to reconstruct the display. This works best with simple images, such as low-resolution TV screens, text displays, or (as others have mentioned) login screens — and any login screen which displays any information at all about the password (including asterisks etc.) is vulnerable since timing is often sufficient to reconstruct a password. If you can “lock on” to one simple screen, you might be able to keep on watching even when the image becomes not so simple.

The advent of SDR has made this much more approachable, and there have been a number of successful experiments on a variety of targets; see rtl-sdr.com for some examples. Anything which leaks electromagnetic radiation at a specific frequency can conceivably be eavesdopped; this includes for example DVI cables with poor shielding, so LCD displays can in some cases be vulnerable even though you’d expect the screens themselves not to suffer from the same issues as CRTs in this respect. CPUs themselves generate electromagnetic radiation which can in some cases be listened to and used to reconstruct data such as AES keys. (If you control the CPU itself, you can use this to exfiltrate data.)

Radiation in the visible spectrum can also be used — if variations in luminosity can be detected, even indirectly, that can be enough to reconstruct an image. See this answer on Retrocomputing for details.

It’s also worth reading up on TEMPEST, which is intended to help build systems which are resistant to this type of attack.

Answer 6

I actually demonstrated this back in the day, a relatively broadband receiver, a decent yagi and I used the fact that the telly (and often vcrs) back then had a field rate synchronized to the mains to make field sync a non issue (Well once I had figured out that I was on a different phase to the transmitter....).

IIRC my set was operating somewhere above the 70cms band, with about 4MHz of bandwidth and a crude log amp doing the demodulation.

The term was Tempest back then after the military screening development project.

RF side channels are STILL a popular game, used for everything from attacking smart cards (Arguably a power side channel attack, but whatever) to going after crypto keys on laptops (The emissions tell you about the processor C state transitions which can be turned into a timing attack), to the really fun one, going after wireless keyboards by timing the bursts of RF to tell when people kit keys (Turns out this can be used to decode what keys are being hit).

SDRs with wideband demodulators are a hoot for this stuff.

Answer 7

In addition to radiofrequency eavesdropping, it is possible to spy on a CRT by watching the optical brightness at a high sampling rate. See this paper: Optical Time-Domain Eavesdropping Risks of CRT Displays

This works for CRTs because as the electron gun scans the screen, only a small point is very bright (and the rest of the screen is fading away quickly). Capturing the average brightness of the entire screen is similar to capturing just the brightness of the spot pointed at by the electron gun.

For modern displays like LCDs, the entire picture is lit all the time, so this technique won't work because you would only get the average brightness of the entire screen.

Answer 8

Regarding the first part of the OP question, a BW analog monitor signaling is essentially a demodulated broadcast signal, so it should be possible to extract it from parasitic CRT emissions with some effort, and re-condition it with some fidelity, especially if it was an early no-gray-scale binary monitor.

However, from "geo-political and espionage" angle of this question, this is an outbreak of Cold-War era paranoia. Yes, there was a broader idea that, by observing electromagnetic unintentional emission from computer equipment from a distance, it would be possible to reconstruct the essence of transmitted information.

From technical point, we all know that one has to work very hard to get proper direct connection to data transmission lines, get low-noise probes, insanely priced protocol analyzers, and even after all that you can't really understand what's going on. It takes many directed simplified experiments and test patterns to differentiate any essential byte patterns from scrambling/packet wrapping etc. Even after that the data are usually formatted in proprietary structures. Again, it is extremely difficult even with direct attachment, at volt-level signals and nearly eliminated noise, while remotely one can get the signal at microvolt-level only.

From physics and mathematical perspective, the radiated emission is a linear superposition of weak remainders of wave patterns emitted from many location of electronic equipment. Essentially the remotely-sensed signal is a convolution of many-many function into a single function. To decompose the signal and restore the original data content one has to have the same amount of "orthogonal" or linearly independent receivers. Say, if you have a 64-bit memory bus emitting hard, you need somehow to collect the EM field from 64 angles/directions/polarizations whatever. Even then all signals will have nearly the same shape, which would result in ill-conditioned matrices, and solutions will be devastated by any instrumental noise (which ratio will be bad given the micro-volt level of signals). That's why I think that people who pushed this agenda were ignorant and dishonest, who were using the situation to milk military budgets.

Even if someone can get a full accurate trace of all memory traffic, it is impossible to make much sense of it, even if you have a full checked build and debug tables for the entire operating system.

In short, this seems to be a delirium form Cold War Era and utter nonsense. That's why there were no positive results for 40 years. Today much easier way is to put an app into a Samsung TV or any smartphone and record/transmit all voice over WiFi or always-on cellular network.