{"id":23225,"date":"2024-08-29T20:59:40","date_gmt":"2024-08-29T16:59:40","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/deep-tempest-side-channel-hdmi\/23225\/"},"modified":"2024-08-29T20:59:44","modified_gmt":"2024-08-29T16:59:44","slug":"deep-tempest-side-channel-hdmi","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/deep-tempest-side-channel-hdmi\/23225\/","title":{"rendered":"A scientific approach to eavesdropping via HDMI"},"content":{"rendered":"

Thanks to scientists at the University of the Republic (Uruguay), we now have a much better understanding of how to reconstruct an image from spurious radio emissions from monitors; more specifically \u2014 from signals leaked during data transmission via HDMI connectors and cables. Using state-of-the-art machine-learning algorithms, the Uruguayan researchers demonstrated<\/a> how to use such radio noise to reconstruct text displayed on an external monitor.<\/p>\n

What, no one\u2019s done it before?<\/h2>\n

\nSure, it\u2019s not the first attempt at a side-channel attack aimed at reconstructing an image from radio signal emissions. A method of intercepting radio noise from a display in a neighboring room \u2014 known as a certain TEMPEST<\/a> attack \u2014 was described in a study published in\u2026 1985! Back then, Dutch researcher Wim van Eck demonstrated that it\u2019s possible to intercept a signal from a nearby monitor. In our post about the related EM Eye attack, we talked<\/a> extensively about these historical studies, so we won\u2019t repeat ourselves here.<\/p>\n

However, van Eck\u2019s experiment has lost much of its usefulness today. It used a monitor from 40 years ago with a cathode-ray tube and analog data transmission. Also, the captured image back then was easy to analyze, with white letters on a black background and no graphics. Today, with a digital HDMI interface, it\u2019s much more difficult to intercept the image, and, more importantly, to restore data. But that\u2019s precisely what the Uruguayan team has managed to do.<\/p>\n

How does the modern-day van Eck-like interception work?<\/h2>\n

\nData is transmitted digitally to the monitor via an HDMI cable. The volume of data involved is vast. The computer transmits 60 or more frames to the monitor every second, with each frame containing millions of different-colored dots. Using a software-defined radio (SDR), we can intercept signals generated by this data stream. But can we then extract useful information from this extremely weak noise?<\/p>\n

\"Deep-TEMPEST<\/a>

Schematic of the new spying method proposed by the Uruguayan team. Source<\/a><\/p><\/div>\n

The authors called this attack Deep-TEMPEST \u2014 a nod to the use of deep-learning AI. The diagram clearly shows how noisy the intercepted data is before processing: we see a discolored shadow of the original image, in which only the location of the main elements can be guessed (a browser window with an open Wikipedia page was used for the experiment). It\u2019s just about possible to distinguish the navigation menu at the top and the image in the center of the screen, but absolutely impossible to read the text or make out the image.<\/p>\n

\"Captured<\/a>

Image captured and processed by Deep-TEMPEST. Source<\/a><\/p><\/div>\n

And here\u2019s the result after processing. The picture quality hasn\u2019t improved, so making out the image is no easier. But the text was recognized in its entirety, and even if the machine-learning algorithm tripped up on a couple of letters, it doesn\u2019t greatly affect the final result. Let\u2019s look at another example:<\/p>\n

\"Deep-TEMPEST<\/a>

Deep-TEMPEST attack result in detail. Source<\/a><\/p><\/div>\n

Above is the captured image. Some letters are distinguishable, but the text is basically unreadable. Below is the original image \u2013 a screenshot fragment. In the middle is the image after processing by the machine-learning algorithm. Some adjacent letters are hard to discern, but overall the text is quite easy to read.<\/p>\n

How did the researchers get this result?<\/h2>\n

\nThe Uruguayan team\u2019s main achievement is that they developed their own method of data analysis. This was partly due to enhanced neural network training, which allowed text recognition from a rough image. To do this, the team needed pairs that consisted of an original screenshot and the corresponding SDR-captured image. Building a dataset big enough for training (several thousands of pairs) is a difficult, time-consuming task. So the researchers took a slightly different path: about half of the dataset they obtained by displaying an image on the screen and intercepting the signal; the other half they simply generated using a self-written algorithm that gives a reliable picture of the captured information based on the relevant screenshot. This proved sufficient to train the machine-learning algorithm.<\/p>\n

The team\u2019s second stroke of genius was the use of a neural network that delivered high-quality results without much expense. The test bed was created from relatively affordable radio-data interception tools; open-source software was used. As we said, HDMI carries vast amounts of data to the connected monitor. To analyze spurious radio emissions during such transmission, it\u2019s important to intercept a large spectrum of radio frequencies \u2014 the bigger the band, the better the result. Ideally, what\u2019s needed is a high-end SDR receiver capable of capturing a frequency band of up to 3200 megahertz \u2014 a piece of kit that costs about US$25\u00a0000. In this case, however, the researchers got by with a USRP 200-mini receiver (US$1500) \u2014 capable of analyzing a much narrower frequency band of up to 56 megahertz. But thanks to the enhanced neural network trained to recognize such partial information, they could compensate for the lack of raw data.<\/p>\n

<\/p>

\"Deep-TEMPEST<\/a>

Deep-TEMPEST attack test bed. On the left is the target computer connected to a monitor. Key: (1) antenna, (2) radio signal filters and amplifier, (3) SDR receiver, (4) laptop for intercepting radio emissions and analyzing the data. Source<\/a><\/p><\/div>
\nOpen-source software and libraries were used to process the data. Code, screenshots and other resources have been made available on GitHub<\/a>, so anyone who wishes to can reproduce the results.\n

Limited scope of application<\/h2>\n

\nIn the 1999 novel Cryptonomicon<\/a> by Neal Stephenson, one of the characters, upon discovering that he\u2019s being monitored by \u201cvan Eck phreaking\u201d, starts making things difficult for those spying in him by changing the color of letters and replacing the monochrome text background with a video clip. Generally speaking, the countermeasures against TEMPEST-type attacks described by Stephenson a quarter century ago are still effective. You can add noise to an image such that the user won\u2019t even notice \u2014 and interception is impossible.<\/p>\n

Naturally, the question arises: is the juice worth the squeeze? Is it really necessary to defend against such highly specialized attacks? Of course, in the vast majority of practical cases, there\u2019s nothing to fear from this attack \u2013 much better to focus on guarding against real threats posed by malware<\/a>. But if you work with super-valuable data that super-professionals are after, then it might be worth considering such attacks as part of your threat model.<\/p>\n

Also, don\u2019t disregard this study out of hand just because it describes interception from an external monitor. Okay, you might use a laptop, but the image is sent to the built-in display using roughly the same principles \u2014 only the transmission interface may be slightly different, while the radiation level will be slightly lower. But this can be addressed by refining the algorithms and upgrading the test equipment. So hats off to the Uruguayan researchers \u2014 for showing us once again just how complex the real world is beyond \u201csoftware\u201d and \u201coperating systems\u201d.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

A paper from Uruguayan scientists lays out a highly technical and impractical method of spying on computer monitors. <\/p>\n","protected":false},"author":665,"featured_media":23227,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2780,2781,700,2663,2782],"class_list":{"0":"post-23225","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-cyber-espionage","11":"tag-monitor","12":"tag-research","13":"tag-side-channel","14":"tag-side-channel-attack"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/deep-tempest-side-channel-hdmi\/23225\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/deep-tempest-side-channel-hdmi\/27930\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/deep-tempest-side-channel-hdmi\/28106\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/deep-tempest-side-channel-hdmi\/38153\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/deep-tempest-side-channel-hdmi\/52058\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/deep-tempest-side-channel-hdmi\/28242\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/deep-tempest-side-channel-hdmi\/34040\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/deep-tempest-side-channel-hdmi\/33702\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/side-channel\/","name":"side-channel"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23225"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23225\/revisions"}],"predecessor-version":[{"id":23226,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23225\/revisions\/23226"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23227"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}