Worried that your boss is reading your email? Can't sleep at night knowing your medical records are flying around the global Internet? Well, add one more worry to the list: PC eavesdropping.
Two U.K. scientists recently wrote that a clever amateur armed with $100 in electronics can detect every word on a targeted PC monitor by "listening in" on leaked radiation.
They should know. The Cambridge University dons developed the technique while working on a way for Microsoft to covertly monitor illegal software usage.
The military has long known that monitors, cables, and disk drives all leak "compromising emanations" or "Tempest" radiation, so called after a classified U.S. research program. Using that radiation, military spies can reconstruct the data entered in a computer.
What they never expected is that someone might do the same thing with a shortwave radio, a cassette recorder, and bit of software implanted via a virus or Trojan horse. With this meager offering in hand, the Cambridge scientists found they could modulate and record computer emissions, then play them back on their own computers (with some help digitizing and interpreting the information) to replicate everything typed on a target's screen.
For the most part, corporations and individuals haven't worried much about sensitive data being plucked out of the radio garbage spewed by their computers. First of all, Tempest monitoring equipment pretty much only gets into the hands of spies, since it's classified and expensive. Secondly, the only way to protect computers has been to install extremely costly metallic shielding. With the possibility of eavesdropping so remote and countermeasures so expensive, only military and diplomatic missions bothered to buy Tempest-certified equipment.
"Army signals officers, defense contractors, and spooks have been visibly flabbergasted to hear our ideas or see our demo," co-author Ross J. Anderson recently wrote to an email list.
So should everyone start wrapping their computers in aluminum foil? Hardly, say the authors. Their research also unearthed several simple, comparatively inexpensive software solutions to guard against snoops. Some typing can be made invisible to even professional electronic evesdroppers by filtering out a portion of the spectrum displayed. Another technique they developed, called "Tempest fonts," disguises the real text on your screen, showing snoops a different picture entirely.
Still, it seems that computer users have less to fear from hackers than from possibly "legitimate" users of the research, like software companies. The researchers suggest that Microsoft's Word could embed and broadcast a serial number in a computer's stray radiation. Specially equipped vans could then rove from business to business detecting how many copies of an application are running compared to the number licensed, the same way the U.K. enforces its mandatory TV license. Microsoft has already reportedly rejected the idea, but that doesn't mean there won't be other takers from both sides of the legal fence.
"There are many opportunities for camouflage, deception, and misconduct," Anderson wrote. "For example, you could write a Tempest virus to 'snarf' your enemy's PGP [Pretty Good Privacy] private key and radiate it without his knowledge by manipulating the dither patterns in his screen saver."
Of course, the whole study has privacy and security experts on alert. Who wants software makers to broadcast information from your PC? Encryption, digital signatures, and other security measures could lose their relevance in the face of amateur snoopers. What's the use of encoding something to cross the Net if someone steals it off your screen first? As computers proliferate in our lives, could manufacturers or thieves implant software snoops that broadcast information to them from home entertainment or security systems? Right now, there are more questions than answers.
Whatever happens, PC eavesdropping is on its way to becoming the next tempest in personal electronic privacy.
Margie Wylie writes about the good, bad, and ugly of the Information Age on Wednesdays in Perspectives.