Re: [PEN-TEST] Penetration Testing and Van Eck Scanning

[David Taylor <taylord () INFOSECURE COM AU>]

Hi all,

This is something that I have looked into in a little detail (from a
theoretical perspective of course).

First thing is a note on anti-TEMPEST fonts.  These are created by running
a low pass frequency filter over the bitmap of each letter in the
horizontal direction.  TEMPEST/V-E devices pick up high frequency EM (like
sharp edges, or square waves) much more easily.  If you soften the hard
edges on a text character, the EM signature is greatly reduced and can't
be seen properly in TEMPEST/V-E.  Have a close look at PGP's secure fonts
- it is sometime possible to see the softening effect.

Second thing is a note on range.  This mostly comes down to antenna design
and the quality/resolution of the V-E gear.  Newer monitors run at a
higher refresh rate and higher pixel resolution.  These would require an
antenna designed for correspondingly higher frequencies.  These higher
frequencies degrade more quickly over distance, so the range is reduced
somewhat, but since the early 80's the quality of signal filters and
low-noise amplifiers has increased also, helping the V-E user.

Final note is one on application.  As somebody mentioned, this technology
is not just appropriate to monitor emanations.  It is equally possible to
intercept RS232 serial signals or pretty much any other digital signal.
Monitors are a good choice though, as they run on very high voltage and
tend to leak lots of EM.  I have heard stories of people using TEMPEST to
listen to RS232 from keypads and card readers in ATM machines.

With regard to Johann's initial email - it would be theoretically possible
to set this up as part of a P-test (discounting the legality issues) but
it would be a very expensive and time consuming exercise.

Regards,
Dave Taylor