Tempest Threat (HDMI Example)
Intro
In this blog i will come more into details of the work i did in this project.
The tempest threat is threat that interest more very strategic company or army. It’s a threat that come from a simple fact.
When you send Electricity through metal there will be an electromagnetic field induced by it. The wave characteristic in this field depend on the signal going through the cable/component.
This kind of attack are well known by government and countermeasure are already applied for army and critical structure. It can perform such incredible stuff like encryption key recovering. even if this isn’t a real threat (you need to physicaly access the CPU) it’s still impressing.
The attack
I will explain the general process with the example of the HDMI Tempest.
If we made this old attack already perform by government since decades it’s because today it became very cheap, accessible, and easy to use. Let me present you the RTL-SDR.
It fit in a pocket, is compatible with most of the SDR Software on the market and the last version only cost 60€.
With this kind of device you can already try to perform a demo of the attack and with just a 200-300€ device you may be able to read the content of someone screen.
The video is in french don’t worry it just so you can check our experiment result i will detail the process
The setup
As you can see on the video the material is very basic.
- A computer good enough to play LOL (work on shitty thinkpad)
- A 200€ SDR
- A directive antenna for better result (~50€)
If it’s just for a demo you can use basic radio antenna but we needed it to be able to work from more than 10m
How ?
So in here we are using the reading the parasite from the HDMI and reconstrucing a Black and Whit image.
There is 3 numerical signal going through the cable at the same clock. Each of this signal will emit a parasit wave out of the cable. The 3 parasite will be mixed together because they are at the same base frequency so from the strength of the signal we can get the mean of the 3 color and so we will put it in grey.
I won’t go into the details of how the SDR perform the translation of analog signal to level of gray pixels because i don’t fully understand the process.
Now that we have the “line” of the frame we need to get the screen.
The start of the image is shown by the red bar and the padding by the green ones.
This will be the role of our software he need to find the start of the image and he will be help by the user specifying the resolution of the target screen.
Then the software maybe able to identify small invisible on the screen image completion, it’s the padding of the video encoding, it don’t happened everytime so the final tool is taking a potentential image and the next one, and if there’s is to much variation it may not be the right start of screen so try something else.
The different parameter
Target
For the target we need to find its resolution and refresh rate. It will influence the base frequency of the parasite signal. When you are used to it you can identify a screen even with the wrong parameter so you can deduct the screen resolution fast.
Attacker
The quality of the attack will be influence of the quality of your material.
SDR : Sample rate
The Sample rate of the SDR will tell you how much of the screen you will be able to get like you will get
You can start to have good result with 1 over 8 pixel which mean for 1080p 60hz screen a 15Mhz sample rate.
For a Cheap Demo with a RTL-SDR set your victime screen to 480p 30Hz you will be able to get 20% of the pixels.
Antenna : Gain / Noise
For the antenna the goal will be to get the best signal as possible without having to much noise which would avoid you to get a clear signal.
So it’s better to have a well manufactured directionnal antenna.
Computer : Speeeeed
If your computer is too bad you won’t be able to performe the screen synchronisation process at high sample rate.
Is it a serious threat ?
If you are not a government or do not possess information that may interest a government, NO.
It’s very hard to perform this attack need a good preparation and your only risk is if someone really target you to do this and that you are already anough protected so that a solution that will cost preparation / money / time of skilled people is better that just breaking your door.