Antennas for a far field EMI side channel demonstration for a class project?

[0culus]

So for a semester project in an infosec class I'm taking, I'm planning to do a demonstration of a TEMPEST style EMI side channel attack. The classic example is of course the old big green computer monitors that could be "heard" a mile away, but since I don't have one of those, I plan to test a selection of more modern equipment to see what I get.

I plan to get some nearfield probes too, but I'm wondering what options I have in antennas that will be properly sensitive but won't be huge or break the bank. I've been looking at PCB antennas that are sold on Amazon and other places (e.g. RFSPACE), but unsure of which ones might be best, and if I'll need a preamp or something to get a usable signal out of any of this. I have recently acquired (and got a great deal on) a working HP 8569B spectrum analyzer, which is what I plan to use for visualizing stuff. Bonus points if I can get the HP-IB interface to send plot data to a computer instead of a plotter, but that may not work out.

Thanks!

[MasterT]

Usually, antenna selection is determined by working frequency.

[0culus]

Usually, antenna selection is determined by working frequency.

Makes sense. So for exploratory purposes, I'd want antennas covering a range of bands?

[T3sl4co1l]

If you're looking for video signals, you'll need something on the order of what the video bandwidth is.  Usually this is in the low MHz.  Which isn't very sensical for antennas at much of any range.  I don't remember what exactly TEMPEST is supposed to be watching; for analog television, internal signals (IF, LO, chroma..) are possibilities, two of which are high frequency, and one of which is limited bandwidth (NTSC chroma is something like 3-5MHz).  Digital monitors (CGA and EGA) would generate harmonics from internal logic/buffering and maybe from the video output drivers, but I wouldn't expect much content over 50MHz.

CRTs are your most likely candidates, following a simple raster, and with deflection signals apparent (either by gaps in the video, or by picking up the lower frequency signals themselves).  In the modern era, who knows.

Plasma panels throw off all kinds of shit, though as far as I know, they don't do a simple raster scan, so you'll need a scan converter circuit.  LCD and OLED I think are going to be scanline driven, too.  Internal signals will be nicely visible in the 100s MHz range thanks to fast clocks and serial data paths, but obtaining a useful signal from that (HDMI, or encoded or decoded MPEG, or frame buffer traffic, or..) isn't necessarily straightforward, or likely.

Anything you can find in the literature, of course, will be very useful.

Tim

[hagster]

I would need to know(at minimum) the lowest frequency to give good advice. There are plenty of ultrawideband antennas available but they get big with low cut off frequencies.

When you get to electrically small antennas you can chiise bamdwidth or efficiency but not both. For very low frequencies a small loop antenna might be a good option.

For weak signals an LNA can really be useful to get the most out of those older spectrum analysers.

[0culus]

If you're looking for video signals, you'll need something on the order of what the video bandwidth is.  Usually this is in the low MHz.  Which isn't very sensical for antennas at much of any range.  I don't remember what exactly TEMPEST is supposed to be watching; for analog television, internal signals (IF, LO, chroma..) are possibilities, two of which are high frequency, and one of which is limited bandwidth (NTSC chroma is something like 3-5MHz).  Digital monitors (CGA and EGA) would generate harmonics from internal logic/buffering and maybe from the video output drivers, but I wouldn't expect much content over 50MHz.

CRTs are your most likely candidates, following a simple raster, and with deflection signals apparent (either by gaps in the video, or by picking up the lower frequency signals themselves).  In the modern era, who knows.

Plasma panels throw off all kinds of shit, though as far as I know, they don't do a simple raster scan, so you'll need a scan converter circuit.  LCD and OLED I think are going to be scanline driven, too.  Internal signals will be nicely visible in the 100s MHz range thanks to fast clocks and serial data paths, but obtaining a useful signal from that (HDMI, or encoded or decoded MPEG, or frame buffer traffic, or..) isn't necessarily straightforward, or likely.

Anything you can find in the literature, of course, will be very useful.

Tim

Yeah, one of the original TEMPEST targets would have been watching CRT screens from a distance. However, there is a broad spectrum (heh) of things you can be looking for. Cryptographic side channels, for instance. One paper I read, in particular, was mounting an "at a small distance" (such as through a wall) attack on a laptop performing cryptographic operations using a vulnerable version of a common open source library by picking up EMI from the CPU and it's power circuits.

I guess my intent is to provide an inch deep, mile wide overview of why this stuff matters for security. So it would be nice to be able to demonstrate demodulating something simple, but it doesn't have to be done for every target I do. I'm trying to limit scope a bit because this is, after all, a project for a class and I have research I have to be doing as well to get my MS.

 

I would need to know(at minimum) the lowest frequency to give good advice. There are plenty of ultrawideband antennas available but they get big with low cut off frequencies.

When you get to electrically small antennas you can chiise bamdwidth or efficiency but not both. For very low frequencies a small loop antenna might be a good option.

For weak signals an LNA can really be useful to get the most out of those older spectrum analysers.

For cryptographic side channel kind of things (which is one thing I'm interested in demonstrating), frequencies around typical CPU speeds.

[JoeyG]

Log periodic  TV antennas   , the old big ones  can go from 60 ~ 300MHz

[hagster]

So typical CPU frequencies can(and normally do) dynamically scale from hundreds MHz to 4 or 5 GHz. I think the same is true for memory such as DDR4. And you generally have multiple cores running at different rates.

[ogden]

So it would be nice to be able to demonstrate demodulating something simple, but it doesn't have to be done for every target I do. I'm trying to limit scope a bit because this is, after all, a project for a class and I have research I have to be doing as well to get my MS.

RF eavesdropping of modern, well shielded, high frequency electronics is very, very tough task. Better demonstrate conducted EMI attack - by monitoring PSU current or voltage variations of small computing device like RaspberryPI or small laptop/tablet. Other option would be to craft "RF transmission software" on purpose so it is much easier to receive/demodulate known transmission: https://en.wikipedia.org/wiki/Air_gap_malware. [edit] All you need to show - that computer without any wireless adapter is able to transmit keystrokes

[0culus]

So it would be nice to be able to demonstrate demodulating something simple, but it doesn't have to be done for every target I do. I'm trying to limit scope a bit because this is, after all, a project for a class and I have research I have to be doing as well to get my MS.

RF eavesdropping of modern, well shielded, high frequency electronics is very, very tough task. Better demonstrate conducted EMI attack - by monitoring PSU current or voltage variations of small computing device like RaspberryPI or small laptop/tablet. Other option would be to craft "RF transmission software" on purpose so it is much easier to receive/demodulate known transmission: https://en.wikipedia.org/wiki/Air_gap_malware. [edit] All you need to show - that computer without any wireless adapter is able to transmit keystrokes

I do have some RPi3's so that could definitely be a good approach. I agree that modern shielded equipment will probably be too hard for this scoping.

[cdev]

Ross Anderson at Cambridge (security expert and author) has written about this.

[0culus]

Thanks for the reminder; I'll look that up. I've read parts of his Security Engineering in the past.